diff --git a/src/routes/tasks.js b/src/routes/tasks.js
index 746bf3c16..380fd36a4 100644
--- a/src/routes/tasks.js
+++ b/src/routes/tasks.js
@@ -15,11 +15,6 @@ let assert = require('assert'),
     TaskError = require('../tasks.js').TaskError,
     tasks = require('../tasks.js');
 
-function auditSource(req) {
-    var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress || null;
-    return { ip: ip, username: req.user ? req.user.username : null, userId: req.user ? req.user.id : null };
-}
-
 function stopTask(req, res, next) {
     assert.strictEqual(typeof req.params.taskId, 'string');
 
@@ -39,7 +34,7 @@ function get(req, res, next) {
         if (error && error.reason === TaskError.NOT_FOUND) return next(new HttpError(404, 'No such task'));
         if (error) return next(new HttpError(500, error));
 
-        next(new HttpSuccess(200, task));
+        next(new HttpSuccess(200, tasks.removePrivateFields(task)));
     });
 }
 
@@ -52,10 +47,12 @@ function list(req, res, next) {
 
     if (req.query.type && typeof req.query.type !== 'string') return next(new HttpError(400, 'type must be a string'));
 
-    tasks.listByTypePaged(req.query.type || null, page, perPage, function (error, tasks) {
+    tasks.listByTypePaged(req.query.type || null, page, perPage, function (error, result) {
         if (error) return next(new HttpError(500, error));
 
-        next(new HttpSuccess(200, { tasks }));
+        result = result.map(tasks.removeRestrictedFields);
+
+        next(new HttpSuccess(200, { tasks: result }));
     });
 }
 
diff --git a/src/routes/test/tasks-test.js b/src/routes/test/tasks-test.js
index 9ee66d6ba..8235b5aae 100644
--- a/src/routes/test/tasks-test.js
+++ b/src/routes/test/tasks-test.js
@@ -17,7 +17,6 @@ var SERVER_URL = 'http://localhost:' + config.get('port');
 
 var USERNAME = 'superadmin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';
 var token = null;
-let taskId = null;
 
 function setup(done) {
     config._reset();
@@ -63,12 +62,13 @@ describe('Tasks API', function () {
         task.on('error', done);
         task.on('start', (tid) => { taskId = tid; });
 
-        task.on('finish', function (error, result) {
+        task.on('finish', function () {
             superagent.get(SERVER_URL + '/api/v1/tasks/' + taskId)
                 .query({ access_token: token })
                 .end(function (err, res) {
                     expect(res.statusCode).to.equal(200);
                     expect(res.body.percent).to.be(100);
+                    expect(res.body.args).to.be(undefined);
                     expect(res.body.active).to.be(false); // finished
                     expect(res.body.result).to.be('ping');
                     expect(res.body.errorMessage).to.be(null);
@@ -83,7 +83,7 @@ describe('Tasks API', function () {
         task.on('error', done);
         task.on('start', (tid) => { taskId = tid; });
 
-        task.on('finish', function (error) {
+        task.on('finish', function () {
             superagent.get(SERVER_URL + '/api/v1/tasks/' + taskId + '/logs')
                 .query({ access_token: token })
                 .end(function (err, res) {
@@ -99,7 +99,7 @@ describe('Tasks API', function () {
         task.on('error', done);
         task.on('start', (tid) => { taskId = tid; });
 
-        task.on('finish', function (error) {
+        task.on('finish', function () {
             superagent.post(SERVER_URL + '/api/v1/tasks/' + taskId + '/stop')
                 .query({ access_token: token })
                 .end(function (err, res) {
diff --git a/src/tasks.js b/src/tasks.js
index 204bb4dda..476259e96 100644
--- a/src/tasks.js
+++ b/src/tasks.js
@@ -10,6 +10,8 @@ exports = module.exports = {
     startTask: startTask,
     stopTask: stopTask,
 
+    removePrivateFields: removePrivateFields,
+
     TaskError: TaskError,
 
     // task types. if you add a task here, fill up the function table in taskworker
@@ -36,7 +38,8 @@ let assert = require('assert'),
     spawn = require('child_process').spawn,
     split = require('split'),
     taskdb = require('./taskdb.js'),
-    util = require('util');
+    util = require('util'),
+    _ = require('underscore');
 
 const NOOP_CALLBACK = function (error) { if (error) debug(error); };
 
@@ -69,13 +72,13 @@ function get(id, callback) {
     assert.strictEqual(typeof id, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    taskdb.get(id, function (error, progress) {
+    taskdb.get(id, function (error, task) {
         if (error && error.reason == DatabaseError.NOT_FOUND) return callback(new TaskError(TaskError.NOT_FOUND));
         if (error) return callback(new TaskError(TaskError.INTERNAL_ERROR, error));
 
-        progress.active = !!gTasks[id];
+        task.active = !!gTasks[id];
 
-        callback(null, progress);
+        callback(null, task);
     });
 }
 
@@ -214,3 +217,9 @@ function getLogs(taskId, options, callback) {
 
     callback(null, transformStream);
 }
+
+// removes all fields that are strictly private and should never be returned by API calls
+function removePrivateFields(task) {
+    var result = _.pick(task, 'id', 'type', 'percent', 'message', 'errorMessage', 'active', 'creationTime', 'result', 'ts');
+    return result;
+}