Fix Insufficient Logging & Monitoring in Gatsby
Gatsby functions are the hidden attack surface of your static site. Insufficient logging and monitoring (OWASP A09:2021) in these serverless endpoints allows attackers to perform credential stuffing, API fuzzing, and data exfiltration without leaving a trace. If you aren't aggregating structured logs and setting alerts on high-frequency failures, you are flying blind while your backend is being dismantled.
The Vulnerable Pattern
export default function handler(req, res) {
try {
const { email, password } = req.body;
const user = authenticate(email, password);
if (!user) {
// SILENT FAILURE: No log entry, no visibility into brute force
return res.status(401).send('Unauthorized');
}
res.status(200).json({ token: 'jwt_token' });
} catch (error) {
// USELESS LOGGING: Console logs in serverless vanish or lack context
console.log('Error happened');
res.status(500).send('Internal Server Error');
}
}The Secure Implementation
The vulnerable code fails by swallowing errors and providing zero context for security incidents. The secure implementation uses structured logging (JSON) via Winston, capturing critical metadata: the event type, the target user, and the source IP address. This enables SIEM tools (like Datadog, Splunk, or ELK) to parse logs and trigger alerts on anomalies, such as a spike in AUTH_FAILURE events from a single IP, which indicates a brute-force attack in progress. Always ensure logs are centralized and monitored in real-time.
import winston from 'winston'; const logger = winston.createLogger({ level: 'info', format: winston.format.json(), transports: [new winston.transports.Console()] });export default async function handler(req, res) { const { email } = req.body; const clientIp = req.headers[‘x-forwarded-for’] || req.socket.remoteAddress;
try { const user = await authenticate(email, req.body.password); if (!user) { logger.warn({ event: ‘AUTH_FAILURE’, user: email, ip: clientIp, timestamp: new Date().toISOString() }); return res.status(401).json({ error: ‘Invalid credentials’ }); } logger.info({ event: ‘AUTH_SUCCESS’, user: email, ip: clientIp }); res.status(200).json({ token: ‘jwt_token’ }); } catch (err) { logger.error({ event: ‘SYSTEM_ERROR’, message: err.message, stack: err.stack, ip: clientIp }); res.status(500).json({ error: ‘Internal server error’ }); } }
Your Gatsby API
might be exposed to Insufficient Logging & Monitoring
74% of Gatsby apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.