Mechanism to redact sensitive information in the logs #6295
Replies: 2 comments 4 replies
-
We should try adding |
Beta Was this translation helpful? Give feedback.
4 replies
-
This was implemented |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Initially reported on Discord that printing
access_token
to the logs in a security issue. In an environment where logs are aggregated centrally, i.e. Google GCP or AWS, accidentally setting log level toinfo
would cause a situation if a static token is used.@rijkvanzanten suggested that logger package (pino) has a built-in redaction option: https://github.com/pinojs/pino/blob/master/docs/redaction.md. However, it's unsure if that applies to query parameters within the URL as well 🤔
Further read into pino docs and log structure point to the minimum pino redact options of
{"redact": ["req.headers.authorization"]}
. However, it doesn't support redacting part of the value (would be with a great cost if it did).Interestingly, pino page mentions
GDPR COMPLIANT
which makes this more likely to be an issue without some measures in place.If we can make the redact keys configurable, one could use
{"redact": ["req.headers.authorization", "req.url"]}
to be completely on the safe side. But the log would become less useful without request path.Another option is to block the
access_token
query param combining with the aforementioned minimum redact options.@rijkvanzanten replied: That's the main thing we'll have to look into. Redacting the authorization header is a good thing of course, but we'll have to make sure that the query param is also handled, otherwise it's a half-measure 🤔
The token may (need to) dynamically be added to the URLs (something similar to #5920). So whatever the solution is, it should support this use case.
Beta Was this translation helpful? Give feedback.
All reactions