Blanking out certain fields for security reasons when serializing data

I want to make sure that exception logging does not log sensitive information (i.e. Twitter, Github recent breaches).

I have code that looks like this:

            ServiceExceptionHandlers.Add((req, request, exception) =>
            {
                string headers = GetInterestingHeaders(req.Headers);

                // log exception
                Logger.Error($$"{req.OperationName} failed. {headers}", ex: exception, data: request);

                // call default exception handler
                return DtoUtils.CreateErrorResponse(request, exception);
            });

            UncaughtExceptionHandlers.Add((req, res, operationName, ex) =>
            {
                if (ex is HttpException) 
                {
                    res.EndRequest();
                }
                else
                {
                    string headers = GetInterestingHeaders(req.Headers);
                    Logger.Fatal($$"Error for {operationName}: {ex.GetType().Name}: {headers}", ex: ex, data: req.Dto);
                }
            });

As you can see I pass an Object to the logging mechanism which then takes the data field and turns it into JSON for storage:
JsonSerializer.SerializeToString(data).

Because the data going into the JsonSerializer can come from anywhere and possibly even contain anything, is it possible to create an overriden type of JsonSerializer (for example SecureJsonSerializer) which would find fields containing strings like Password or Credit or Card and turn their inputs into ###'s? Or is there a better way to go about doing something like this?

I’d use reflection on the object to stub out any sensitive content.

Not a bad idea, let me give it a try.