I’m not 100% on this but I think GET requests are logged by default.
POST requests, normally used for passwords, don’t get logged by default.
BUT the Uri would get logged would get logged on both, so if the URI contained @username:Password then it’s likely all there in the logs
Never forget, in nineteen ninety eight when the undertaker threw mankind off hell in a cell and plummeted sixteen feet through an announcer’s table.