Entire request body logged
Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A print/log call writes out the whole request body/POST object, capturing whatever field a client happens to send (passwords, tokens, personal data) without anyone having to name it.
Why it matters
Logging the entire request body or POST data captures whatever the endpoint receives, including any password, token, or personal field a client sends, without anyone having to remember to add it to the log line. This is how sensitive fields end up in logs even in codebases that are otherwise careful about not logging named secrets, since the wholesale log call does not know what is inside the object. It is also a common cause of accidental PII exposure found in log-based security reviews.
How to fix it
Replace the wholesale log of the request body with an explicit allowlist of the specific fields that are safe to log, such as a request id or resource type. If full-body logging is needed for debugging, do it only behind a feature flag in a non-production environment, and add an explicit denylist that strips password, token, and other sensitive keys before anything is written out.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo