no-exposed-sensitive-data
Detects exposure of sensitive data (SSN, credit card numbers, passwords, API keys) in logs or output. This rule is part of [`eslint-plugin-secure-coding`](https
Keywords: sensitive data, CWE-200, security, ESLint rule, PII, SSN, credit card, password, API key, data exposure, logging, LLM-optimized, code security
Detects exposure of sensitive data (SSN, credit card numbers, passwords, API keys) in logs or output. This rule is part of eslint-plugin-secure-coding and provides LLM-optimized error messages that AI assistants can understand.
Keywords: no exposed sensitive data, security, ESLint rule, JavaScript, TypeScript, CWE-532, CWE-200, PII, secrets, logging
ESLint Rule: no-exposed-sensitive-data with LLM-optimized suggestions and auto-fix capabilities.
Quick Summary
| Aspect | Details |
|---|---|
| Severity | Error (Security) |
| Auto-Fix | ❌ No |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | Production applications handling user data |
| Suggestions | ✅ Advice on redacting/masking data |
Vulnerability and Risk
Vulnerability: Sensitive data exposure (information leakage) occurs when an application accidentally reveals sensitive information like passwords, credit card numbers, or API keys in logs, error messages, or other output channels.
Risk: This allows attackers who gain access to logs or catch error messages to harvest sensitive credentials or PII, leading to account takeover, identity theft, or further system compromise.
Rule Details
This rule scans for sensitive data (PII, secrets, tokens, passwords) being passed to logging mechanisms or output streams. Logging sensitive information is a critical security vulnerability because log files are often stored insecurely, accessible to too many people, or retained for long periods.
The rule detects:
- Variable Names: e.g.,
password,ssn,creditCard,token. - Object Properties: e.g.,
user.password,payment.cvv. - Logging Functions: e.g.,
console.log,logger.info,res.send.
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🔒 Security | Data breaches via logs (CWE-532) | Redact sensitive fields/objects |
| 🛡️ Compliance | GDPR, PCI-DSS, HIPAA violations | Use structured logging with masking |
Configuration
This rule accepts an options object:
{
"rules": {
"secure-coding/no-exposed-sensitive-data": ["error", {
// Allow in test files? (default: false)
"allowInTests": false,
// Variable/Property names to flag (default list includes: ssn, password, credit, token, secret...)
"sensitivePatterns": ["ssn", "password", "secret", "token", "apiKey", "credit"],
// Logging functions/methods to watch (default includes: log, info, warn, error, console)
"loggingPatterns": ["log", "console", "print", "debug", "error", "info", "trace"]
}]
}
}Examples
❌ Incorrect
// Logging raw variables
const password = req.body.password;
console.log('User password:', password);
// Logging objects with sensitive props
const user = { id: 1, ssn: '123-456-789' };
logger.info(user);
// Returning sensitive data in error response
function handleError(err, res) {
res.status(500).send({ error: err.stack, secret: process.env.API_KEY });
}✅ Correct
// Logging only safe identifiers
console.log('User created:', user.id);
// Redacting data before logging
const safeUser = { ...user, ssn: '***' };
logger.info(safeUser);
// Using a custom logger that automatically masks sensitive fields
logger.info('User action', { userId: user.id });LLM-Based Suggestions
The rule provides guidance:
- "Remove Sensitive Data": Advises removing the variable from the log.
- "Mask Data": Suggests replacing the value with
***or a hash.
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Values from Variables
Why: Values stored in variables are not traced.
// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);Mitigation: Validate all user inputs.
Wrapper Functions
Why: Custom wrappers not recognized.
// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internallyMitigation: Apply rule to wrapper implementations.
Dynamic Invocation
Why: Dynamic calls not analyzed.
// ❌ NOT DETECTED - Dynamic
obj[method](userInput);Mitigation: Avoid dynamic method invocation.
Further Reading
- OWASP: Insertion of Sensitive Information into Log File
- CWE-532: Insertion of Sensitive Information into Log File
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Detection Patterns
The rule detects:
- SSN patterns:
123-45-6789,123456789 - Credit card patterns:
1234-5678-9012-3456,1234567890123456 - Password patterns: Variables named
password,pwd,pass - API key patterns: Variables named
apiKey,apikey,secret,token - Logging contexts:
console.log,logger.info,winston.log, etc.
Examples
❌ Incorrect
// Exposing sensitive data in logs
const ssn = '123-45-6789';
console.log('User SSN:', ssn); // ❌ SSN in logs
const creditCard = '1234-5678-9012-3456';
logger.info('Payment card:', creditCard); // ❌ Credit card in logs
const password = req.body.password;
console.log('Password:', password); // ❌ Password in logs
const apiKey = process.env.API_KEY;
winston.log('API Key:', apiKey); // ❌ API key in logs✅ Correct
// Masking sensitive data
const ssn = '123-45-6789';
console.log('User ID:', userId); // ✅ Log non-sensitive data
const creditCard = '1234-5678-9012-3456';
const masked = creditCard.replace(/\d(?=\d{4})/g, '*');
logger.info('Payment card:', masked); // ✅ Masked card number
const password = req.body.password;
// Don't log passwords at all
hashPassword(password); // ✅ Process without logging
const apiKey = process.env.API_KEY;
// Don't log API keys
useApiKey(apiKey); // ✅ Use without loggingConfiguration
Default Configuration
{
"secure-coding/no-exposed-sensitive-data": "error"
}Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow sensitive data in tests |
sensitivePatterns | string[] | ['ssn', 'creditCard', ...] | Sensitive data patterns |
loggingPatterns | string[] | ['console', 'logger', ...] | Logging function patterns |
ignorePatterns | string[] | [] | Additional patterns to ignore |
Example Configuration
{
"secure-coding/no-exposed-sensitive-data": [
"error",
{
"allowInTests": true,
"sensitivePatterns": ["ssn", "creditCard", "password", "apiKey"],
"loggingPatterns": ["console", "logger", "winston"],
"ignorePatterns": ["/test/", "mock"]
}
]
}Best Practices
- Never log sensitive data: SSN, credit cards, passwords, API keys
- Use data masking: Mask sensitive data if logging is necessary
- Sanitize logs: Remove or redact sensitive information
- Environment variables: Never log API keys or secrets
- Compliance: Follow GDPR, HIPAA, PCI-DSS requirements
Related Rules
no-hardcoded-credentials- Detects hardcoded credentialsno-unencrypted-transmission- Detects unencrypted data transmission