How to sanitize json before structured logging
- Step 1Collect a sample request or response payload — Copy a representative JSON payload from your application logs or API client. Include any sensitive fields so you can verify they are removed correctly.
- Step 2Define your sensitive key list — Enter the keys to sanitize: password, token, apiKey, authorization, cardNumber, cvv, ssn, secret, privateKey. Enable recursive removal to catch these at any nesting depth.
- Step 3Choose remove or redact mode — Remove mode deletes the key entirely. Redact mode replaces the value with [REDACTED] keeping the key present — useful for knowing a field existed in the log without exposing its value.
- Step 4Mirror the logic in your logging middleware — Implement the same key-removal list in your Express middleware, Fastify hook, or Django middleware. Libraries like pino's redact option and morgan's custom token accept key path lists directly.
Frequently asked questions
How do I implement this sanitization in a Pino logger?+
Pino has a built-in redact option: const logger = pino({ redact: ['password', 'token', 'user.credentials.apiKey'] }). The redact option uses dot-notation paths to match the keys in this tool. Use this tool to find the correct paths, then add them to Pino's redact configuration.
Should I remove or redact sensitive fields in logs?+
Redaction ([REDACTED]) is generally preferred over removal because it preserves the log structure — making it clear a sensitive field was present — without exposing the value. Some compliance frameworks specifically require redaction rather than removal so audit logs show that the field existed.
Is the payload with sensitive values transmitted to JAD Apps?+
No. Processing runs entirely in your browser. The original payload — including passwords, tokens, and card numbers — is never transmitted to JAD Apps servers.
Privacy first
Conversion runs locally in your browser. No file is uploaded — only metadata counters are saved for signed-in dashboard stats.