Production Logging: The Silent Security Risk
Why sensitive dev logs in production are a major oversight and how to keep your app clean and secure across different frameworks.
I was exploring someone's web app recently, opened the browser console out of habit, and saw some sensitive dev logs still running in production. Definitely an oversight, or simply not aware it's even a thing.
I agree that AI makes building apps faster. But speed sometimes has a blind spot. Understandably, when you're not familiar with what happens under the hood, small but important things can slip through before going live.
Try the code below depending on the language or framework you are building with. It keeps your logs out of production automatically.
For Next.js Apps
In your next.config.js (or .mjs), you can tell the compiler to drop console logs in production:
// next.config.js
module.exports = {
compiler: {
removeConsole: process.env.NODE_ENV === "production",
},
};For apps built with Vite
Vite makes it easy to drop console and debugger statements during the build process:
// vite.config.js
export default {
esbuild: {
drop: process.env.NODE_ENV === "production" ? ["console", "debugger"] : [],
},
};For PHP
In your PHP config, ensure you aren't displaying errors to the user, but rather logging them internally:
// config.php
ini_set('display_errors', 0);
error_reporting(E_ALL);
ini_set('log_errors', 1);
ini_set('error_log', '/path/to/your/error.log');For Python
Set your logging level to WARNING or higher in production to filter out INFO or DEBUG logs:
# app.py
import logging
logging.basicConfig(level=logging.WARNING)And take your time to understand how your app behaves in production. It makes you a better builder.