diff --git a/lib/http/server.js b/lib/http/server.js
index 8275c17f..90e3f261 100644
--- a/lib/http/server.js
+++ b/lib/http/server.js
@@ -194,7 +194,7 @@ HTTPServer.prototype._init = function _init() {
   });
 
   this.use(function(req, res, send, next) {
-    var i, params, options, output, address;
+    var i, params, options, censored, output, address;
 
     if (req.method === 'POST' && req.pathname === '/') {
       enforce(typeof req.body.method === 'string', 'Method must be a string.');
@@ -205,13 +205,35 @@ HTTPServer.prototype._init = function _init() {
 
     params = {};
     options = {};
+    censored = {};
 
     softMerge(params, req.params, true);
     softMerge(params, req.query, true);
     softMerge(params, req.body);
+    softMerge(censored, params);
 
     this.logger.debug('Params:');
-    this.logger.debug(params);
+
+    // Censor sensitive data from logs.
+    if (censored.passphrase != null)
+      censored.passphrase = '<redacted>';
+
+    if (censored.old != null)
+      censored.old = '<redacted>';
+
+    if (censored.privateKey != null)
+      censored.privateKey = '<redacted>';
+
+    if (censored.accountKey != null)
+      censored.accountKey = '<redacted>';
+
+    if (censored.master != null)
+      censored.master = '<redacted>';
+
+    if (censored.mnemonic != null)
+      censored.mnemonic = '<redacted>';
+
+    this.logger.debug(censored);
 
     if (params.id) {
       enforce(typeof params.id === 'string', 'ID must be a string.');