HighFile-scopePHP Plug & play

Include context in error logs

Log errors with operation name and identifiers (e.g., userId, orderId) using structured context.

Why this matters

Contextual logs speed up incident triage and correlation.

Side-by-side examples engineers can pattern-match during review.

Avoid

error_log($e->getMessage());

Prefer

$logger->error('payment failed', ['op'=>'charge','userId'=>$userId,'orderId'=>$orderId,'exception'=>$e]);

Bad

error_log($e)

Good

$logger->error('x', ['id'=>$id,'e'=>$e])

From the same buckets as this rule.

Critical
Check consent and role-based authorization before returning ePHI
Handlers must verify the requester’s role and a valid consent/relationship (e.g., care team assignment) before disclosing ePHI; include Purpose-Of-Use in the decision and audit the outcome.
compliance-hipaasecurity-hardening+2
Critical
Mask PAN and exclude SAD from logs
Never emit Primary Account Number (PAN) or Sensitive Authentication Data (SAD: CVV/CVC, full track data, PIN) to application or audit logs. Per PCI DSS 4.0 Req. 3 and 10, always mask PAN as first6last4 and fully redact SAD before logging.
compliance-pci-dssobservability-logging+1
High
Add comprehensive error logging
Log failures with operation name, key identifiers, and exception; prefer structured logging (fields).
error-handlingobservability-logging