How do you verify that secrets and credentials are never exposed in API responses, logs, or client-side code?

API response layer:

• For every endpoint that handles credentials (login, password reset, API key generation), intercept the full response — including headers — and verify:
  • No passwords in any field (not even a masked version in the response body — passwords should never be returned after initial creation)
  • No unmasked card numbers, CVV codes, or full bank account numbers
  • No internal API keys or service credentials
  • Error responses from 400/422/500 do not contain stack traces or database queries

Log layer: Set up a test environment with log access (console output, log aggregation tool, or direct file access). Perform the sensitive operations: login, card entry, password change, API key creation. Search the logs for the exact strings you submitted. Use a specific, distinctive test value (e.g. a card number ending in 9999) so you can grep for it unambiguously. Logs must contain identifiers (user ID, action type, timestamp) but never the sensitive value itself.

Frontend bundle layer: After a production build, search the compiled JavaScript bundle:

grep -rE '(api_key|apiKey|secret|password|AWS_|STRIPE_SK_|DATABASE_URL)' dist/

Look for: API keys embedded during build (a common mistake with environment variables not properly excluded), database connection strings, internal service URLs with credentials, and JWT signing secrets.

Automated checks in CI: integrate a secrets detection tool (truffleHog, git-secrets, detect-secrets) as a pre-commit hook and CI step to prevent secrets from being committed in the first place.