Expose Secret Data When Debugging
In production environments, logging secret data with debug statements is a security
vulnerability. Don’t log secret data, sensitive information, passwords, keys, or stack traces in
production environments. Redact the data or omit it from the logs.
Revealing secret data with debug statements makes it difficult for the Salesforce org admin to control access to the data. Typically, the profiles permitted to view logs aren’t the same profiles that are permitted to view secrets.
Apex Example
In this Apex code, authenticationToken is a
cryptographic secret written to the debug log. To avoid this vulnerability, remove the
system.debug statement from the production
code.
if (varCount > 0){
sensitiveUserData = JSON.serialize(AssignUsrs);
ReqSignature = RequestWrapper.generateHmacSHA256Signature(sensitiveUserData, authenticationToken);
system.debug('Token--->'+authenticationToken);
}