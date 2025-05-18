This post is about how to keep secrets out of logs, and my claim is that (like many things in security) there isn’t a singular action or silver bullet that lets you do this. I would go so far as to say that there’s not even an 80/20 rule, where one action fixes 80% of the problem. It’s not like preventing SQL injection with prepared statements or preventing buffer overflows by using memory-safe languages.

What I will offer instead, are lead bullets, of which there are many. I’m going to talk about 10 of them. They are imperfect and sometimes unreliable things that, if put in the right places and with defense-in-depth, can still give us a real good chance at succeeding. My hope is that by the end, you’ll have a slightly better framework for how to reason about this problem and some new ideas to add to your kit.