Sensitive information needs to be culled to ensure we aren’t leaking important data into our logs, which could end up being a great target for attackers.
Whitelisting what gets logged seems safest approach but that may not be easy with free form logging. Wonder what best practices are here. Might be some opportunity for shared library, especially for request/response loggging, but perhaps also for converting objects to strings purposes...force each class to specify a safe-to-string method or whitelist attributes to include in generic to-string?
