-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http.request.cookies is redacted but Cookie header is not #1402
Comments
Hi @fisherking thanks for opening this issue. Would you mind testing the PR opened here and letting me know if that's a sufficient solution? #1405 |
I have opposite experience. everything in My configuration part looks like this:
|
I tried that branch, but i still see parsed cookies. Raw cookie header is filtered |
We're having the same issue as described in OP - with ruby agent 4.7.0. Using the default settings, the For the record, this is what I set the envvar to filter the
|
Describe the bug
From the spec:
However, this only happens for the
http.request.cookies
property, not theCookie
header.It's possible to mitigate the issue just by extending
ELASTIC_APM_SANITIZE_FIELD_NAMES
withcookie
wildcard, but that's different from the default agent behaviourSteps to reproduce
It is enough just to inspect any transaction containing
Cookie
header withsession
, or any other sensitive keyExpected behaviour
One of the following behaviours needs to be implemented:
Cookie
header after adding thecookie
property (like it's done in java agent - link)Environment
The text was updated successfully, but these errors were encountered: