When creating or updating users via the API, ROMM logs full HTTP request lines—including query parameters that contain passwords. This results in plaintext credentials appearing in container logs, which poses a security risk.
Example log line:
POST /api/users?username=testuser&password=myplaintextpass

Even though this may be a low-risk, self-hosted application, it’s a best practice to avoid logging sensitive data like passwords. Query strings are particularly unsafe for this since they are often captured by default in logs.
Suggestions:

• Avoid logging full request lines when they contain sensitive fields
• Switch to accepting credentials in the request body (JSON) where possible
• Redact or mask password parameters in logs

I love the project and it's way above my skill level to write anything like this, but when I was debugging I saw this and it immediately set my enterprise infosec alarm bells ringing.