I would have flagged that they're logging their Redis URL, if I was reviewing this. Most of the time this includes credentials.
Normally I think it's a bit rude to criticize the code of blog posts, bit I thought it was relevant here for these reasons:
"I often don’t even remove when I’m done debugging because they’re now valuable in prod" - think about where your production credentials end up. Most of the time, logging them won't hurt, just like keeping your password on a post-it doesn't hurt most of the time.
The arguments about letting an AI reduce the mental overhead is compelling, but this shows one of the (often mentioned) risks: you didn't write it so you didn't consider the implications.
Or maybe the author did consider it, and has a lot of good arguments for why logging it is perfectly safe. I often get pushback from other devs about stuff like this, for example:
- We're the only ones with access to the logs (still, no reason to store credentials in the logs)
- The Redis URL only has an IP, no credentials. (will we remember to update this log line when the settings.redis_url changes?)
- We only log warnings or higher in production (same argument as above)
Maybe I should stop worrying and learn to love AI? Human devs do the same thing, after all?
Normally I think it's a bit rude to criticize the code of blog posts, bit I thought it was relevant here for these reasons:
"I often don’t even remove when I’m done debugging because they’re now valuable in prod" - think about where your production credentials end up. Most of the time, logging them won't hurt, just like keeping your password on a post-it doesn't hurt most of the time.
The arguments about letting an AI reduce the mental overhead is compelling, but this shows one of the (often mentioned) risks: you didn't write it so you didn't consider the implications.
Or maybe the author did consider it, and has a lot of good arguments for why logging it is perfectly safe. I often get pushback from other devs about stuff like this, for example:
- We're the only ones with access to the logs (still, no reason to store credentials in the logs)
- The Redis URL only has an IP, no credentials. (will we remember to update this log line when the settings.redis_url changes?)
- We only log warnings or higher in production (same argument as above)
Maybe I should stop worrying and learn to love AI? Human devs do the same thing, after all?