Identity
All posts
5 min readobservabilitycompliancego

Log redaction without regret

How a 200-line slog.Handler wrapper made our structured logs SOC-2 friendly without changing a single call site.

By Sai Mareedu

If your logger ever writes the bytes "password=hunter2" to stdout, you have a compliance problem. Most engineers know this; few teams have a guard that catches it everywhere.

The wrapper

We built a slog.Handler middleware that walks every log record's attribute tree and masks 22 known-sensitive keys:

- `password`, `*_token`, `*_secret`, `code`, `otp`, `authorization` - `email` → `j***@domain.com` - `phone` → `***1234`

Nested groups (`slog.Group("user", slog.String("email", ...))`) recurse correctly.

Why a handler, not a transformer

Transformer-style redaction runs at write time — too late if your logger has already serialised the record. A handler intercepts before serialisation, so the redacted view is what hits any sink. We test against the JSON output, not the in-memory record, to guarantee no leak path.