Structured logging at API gateways: redaction, sampling, and correlation IDs

Log origin hostnames but avoid full cookie values; hash sensitive identifiers when you need cardinality.

Sample high-volume 200 responses in production while keeping full fidelity for 4xx and 5xx.

Chart preflight share of traffic to catch misconfigured clients early.

Track CORS denial reasons with discrete labels rather than free-text error messages only.