Always redact sensitive credentials in URLs before logging, displaying in error messages, or serializing to prevent accidental exposure of authentication information. Use dedicated wrapper types like `LogSafeUrl` that automatically handle credential redaction when displaying URLs:
Always redact sensitive credentials in URLs before logging, displaying in error messages, or serializing to prevent accidental exposure of authentication information. Use dedicated wrapper types like LogSafeUrl that automatically handle credential redaction when displaying URLs:
// INSECURE: Directly logging a URL with potential credentials
log::debug!("Processing URL: {}", url);
// SECURE: Using a wrapper that handles credential redaction
log::debug!("Processing URL: {}", LogSafeUrl::from(url));
Be consistent in your approach to credential redaction:
Apply redaction as early as possible in the code path to minimize the risk that future changes might accidentally expose credentials. When implementing redaction logic, clearly document which approach is used in different contexts to maintain security throughout the application.
Enter the URL of a public GitHub repository