Thanks @tufty !
Yes actually this was pointed out by one of our Pro customers last year, and we have updated it already in that plugin.
It’s not 100% infallible but we now strip out any parameters in the URL or error notification message (in the case of HTTP timeout errors) that match (in whole or part):
'password',
'api_key',
'apikey',
'secret',
'access_token',
'client_secret',
'auth',
'authorization',
'key',
'token'
And these are replaced by [REMOVED]. We are overdue for an update to the free plugin, I will try to get that sent out in the next few weeks. Thanks for pointing it out 🙂
