Description
As a apisix user, I have enabled loki-logger (without overriding log_format) and I have quickly noticed, that all headers are being logged - including request_headers_authorization, request_headers_x_userinfo,request_headers_x_access_token.
According to very common security practices, such data should not be logged. While we have possibility to override what's being logged via log_format - I would expect defaults to follow security practices.
In ideal scenario, we should introduce a parameter to the plugin configuration, which contains list of HTTP headers to be dropped, and it should by default include Authorization, X-Userinfo, X-Access-Token fields.
This could possibly apply to other logger plugins, too.
Description
As a apisix user, I have enabled loki-logger (without overriding
log_format) and I have quickly noticed, that all headers are being logged - includingrequest_headers_authorization,request_headers_x_userinfo,request_headers_x_access_token.According to very common security practices, such data should not be logged. While we have possibility to override what's being logged via
log_format- I would expect defaults to follow security practices.In ideal scenario, we should introduce a parameter to the plugin configuration, which contains list of HTTP headers to be dropped, and it should by default include
Authorization,X-Userinfo,X-Access-Tokenfields.This could possibly apply to other logger plugins, too.