Fair enough, thanks for the clarification, although then this initial response makes little sense in context:
On Thu, Mar 12, 2026 at 5:59 PM Calvin Buckley <[email protected]> wrote: > This is something I'm also concerned about, but I feel the cat is > already out of the bag with backtraces in exceptions providing the same > parameter information. PHP and the library ecosystem seem to be adopting > the sensitive parameter attribute, so my hope is that applications also > start adopting it. Also, you can only mark a parameter as sensitive if you *know* that it contains something sensitive, so I'm assuming that only covers passwords, private keys, etc. However, almost any string parameter can contain sensitive data and that's where the danger is - all applications handling PII will be at risk of inadvertently leaking data through logs. Cheers, Andrey.
