Audit Log
// Definition
A tamper-resistant record of important system and user actions — who did what, to what, and when. Audit logs support detection, investigation and accountability, especially for sensitive actions like role changes, deletions, admin operations and failed logins. For QA, the check is simple but often missed: perform a sensitive action and confirm a corresponding audit-log entry exists with the actor, action and timestamp.
// Related terms
Principle of Least Privilege
The design rule that every user, role, token or service should have only the minimum access it needs to do its job — and nothing more. Applied well, a compromised account or a missing check causes limited damage. For QA, least privilege turns into concrete checks: confirm a read-only role cannot write, a normal user cannot reach admin functions, and a token carries only the permissions the account should have.
Sensitive Data Exposure
Leaking private or confidential data — passwords, tokens, personal data, payment-card data or internal details — through responses, logs, error messages, tokens or insecure storage. It is one of the most common high-impact issues QA can catch: confirm that sensitive values are masked in the UI and API responses, are not present in JWT payloads, and do not appear in stack traces. When reporting, mask the values themselves so the bug report does not become a second exposure.