Fix Insufficient Logging & Monitoring in Fastify
Blindness is the precursor to compromise. If you aren't logging security-critical events in your Fastify stack, you're flying a plane without a black box. Standard 'console.log' garbage won't cut it when an adversary is pivoting through your routes. You need structured, high-performance telemetry to detect and respond to anomalies before they become breaches.
The Vulnerable Pattern
const fastify = require('fastify')({ logger: false });fastify.post(‘/api/v1/auth’, async (req, reply) => { const { username, password } = req.body; const user = await db.users.find({ username });
if (!user || user.password !== password) { // VULNERABILITY: Silent failure. No record of the attempt, IP, or username. return reply.code(401).send({ error: ‘Unauthorized’ }); }
return { token: ‘jwt_token’ }; });
fastify.listen({ port: 3000 });
The Secure Implementation
1. **Enable Pino**: Fastify ships with Pino by default; never set `logger: false` in production. 2. **Structured Logging**: Use JSON format to allow SIEMs (ELK, Splunk) to parse and alert on specific fields like `event`. 3. **Redaction**: Use the `redact` option to prevent Sensitive Personal Information (SPI) or credentials from hitting the disk. 4. **Contextual Correlation**: Use `req.log` instead of the global logger to automatically include the `request-id` in every log entry, enabling full trace reconstruction during incident response. 5. **Security Events**: Explicitly log 401 (Unauthorized), 403 (Forbidden), and 500 (Internal Server Error) events with metadata like source IP and targeted resource.
const fastify = require('fastify')({ logger: { level: 'info', redact: ['req.headers.authorization', 'password', 'body.password'], serializers: { req: (req) => ({ method: req.method, url: req.url, ip: req.ip }) } } });fastify.post(‘/api/v1/auth’, async (req, reply) => { const { username } = req.body; try { const user = await db.users.find({ username }); if (!user || user.password !== req.body.password) { // SECURE: Structured log with context for SIEM ingestion req.log.warn({ event: ‘authentication_failure’, target_user: username, src_ip: req.ip }, ‘Unauthorized login attempt detected’); return reply.code(401).send({ error: ‘Unauthorized’ }); }
req.log.info({ event: 'authentication_success', user_id: user.id }, 'User authenticated'); return { token: 'jwt_token' };
} catch (err) { req.log.error({ err, event: ‘internal_error’ }, ‘Auth service exception’); throw err; } });
Your Fastify API
might be exposed to Insufficient Logging & Monitoring
74% of Fastify apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.