CWE-532 (Insertion of Sensitive Information into Log File), OWASP A09 (Security Logging and Monitoring Failures), and GDPR Article 5(1)(f) (integrity and confidentiality) all apply when wildcard HTTP request body logging captures AI prompt content. HTTP interceptors configured to log all outgoing request bodies are a common debugging pattern — axios interceptors, custom fetch wrappers, and Node.js http module overrides — that developers add during development and forget to remove or scope. In an AI application, these interceptors will capture every prompt sent to the AI provider and write it to whatever log sink is configured, regardless of sensitivity.
Low because wildcard request logging is typically a forgotten debugging artifact rather than an intentional disclosure, but it creates an ongoing passive exfiltration of all AI prompt content to the log sink.
If you have a custom fetch wrapper or HTTP interceptor around AI API calls, restrict it to logging metadata only — never the request body.
// lib/ai/fetch-client.ts
async function aiApiFetch(url: string, init: RequestInit) {
const start = Date.now()
const response = await fetch(url, init)
// Log only metadata — never init.body or response body
console.log('AI API call:', {
path: new URL(url).pathname,
status: response.status,
latencyMs: Date.now() - start
})
return response
}
Search the codebase for request.body, req.body, init.body, and JSON.stringify(.*messages) in any file that wraps or intercepts outgoing HTTP requests. If wildcard body logging exists only inside a NODE_ENV === 'development' guard, verify the guard is present and tested in CI.
ID: ai-data-privacy.third-party-ai-provider.no-wildcard-logging
Severity: low
What to look for: Enumerate every relevant item. Examine logging middleware and network interceptor configuration. Look for HTTP client middleware (axios interceptors, fetch wrappers, Node.js http module interceptors) configured to log all outgoing request bodies. Look for debug-mode configurations that enable full request/response logging. Also check any custom fetch wrappers around the AI SDK for logging of the full request body.
Pass criteria: No logging middleware is configured to capture full request bodies of outgoing HTTP requests. Any custom fetch wrapper for the AI SDK logs only metadata (URL, method, status code, latency).
Fail criteria: A request interceptor or middleware is configured to log full request bodies for all outgoing requests — which would capture AI prompt content in the log output.
Skip (N/A) when: The entire logging of outgoing requests is inside a NODE_ENV === 'development' guard and would not activate in production. Or no custom HTTP middleware is present — the AI SDK is called directly.
Detail on fail: "HTTP request middleware in [file] logs full request bodies for outgoing requests — AI prompt content would appear in logs via this interceptor"
Remediation: Wildcard request body logging is occasionally added during debugging and forgotten. In an AI context it means every prompt sent to the AI provider is also being written to your log output.
If you have a fetch wrapper, restrict what it logs:
// lib/ai/fetch-client.ts
async function aiApiFetch(url: string, init: RequestInit) {
const start = Date.now()
const response = await fetch(url, init)
// Log only metadata, never the body
console.log('AI API call:', {
url: new URL(url).pathname, // path only, not full URL with potential key params
status: response.status,
latencyMs: Date.now() - start
})
return response
}
Review and remove any console.log(request.body) or equivalent in middleware that processes outgoing AI API calls.