I've been looking through my in-production app's logs in GCP and noticed that the verification response that I am logging contains all my process.env values and secrets including TLS certificates, DB connection strings, everything.
Screenshot attached:
Which makes me realise this is probably something that any third party dependency with outbound connections can do.
My questions are:
- is this normal
- how can I check if the values are actually sent to a remote server
- how can I prevent it -- if at all