# OAuth2 client secret exposed in application log: sensitive credentials written to log file
- **ID:** `security/oauth2-client-secret-exposed-in-log`
- **Domain:** security
- **Category:** config_error
- **Error Code:** `SEC-2001`
- **Verification:** ai_generated
- **Fix Rate:** 88%
## Root Cause
The OAuth2 client secret was inadvertently logged as part of a request or configuration dump, exposing the credential to anyone with access to log files.
## Version Compatibility
| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Spring Boot 3.1 | active | — | — |
| Log4j 2.20 | active | — | — |
| Python logging 0.5 | active | — | — |
| Node.js Winston 3.11 | active | — | — |
## Workarounds
1. **Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: ``** (85% success)
```
Configure a logging filter to redact sensitive fields. For Log4j2, use a RegexFilter: ``
```
2. **Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value("${client.secret}")` and avoid printing it.** (90% success)
```
Use environment variables or a secret manager (e.g., HashiCorp Vault) to inject the secret at runtime, and ensure the application never logs the raw value. In Spring Boot: `@Value("${client.secret}")` and avoid printing it.
```
## Dead Ends
- **** — Simply rotating the secret without fixing the logging configuration means the new secret will also be logged, perpetuating the exposure. (60% fail)
- **** — Adding the secret to a log filter but only for one log level (e.g., ERROR) still exposes it if the application logs at that level, and doesn't cover all loggers. (35% fail)
- **** — Some try to mask the secret in logs by truncating it, but if the full secret appears elsewhere (e.g., in a stack trace), the truncation is ineffective. (25% fail)