-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FEATURE REQUEST: Logging without sensitive data by default (privacy by design) #1093
Labels
Comments
Sure thing, like I said in #438 if you have an idea for the improvement we're always open for PRs. |
GitRon
pushed a commit
to GitRon/django-axes
that referenced
this issue
Jul 26, 2023
GitRon
pushed a commit
to GitRon/django-axes
that referenced
this issue
Jul 26, 2023
# Conflicts: # axes/helpers.py # tests/test_helpers.py
GitRon
pushed a commit
to GitRon/django-axes
that referenced
this issue
Jul 27, 2023
GitRon
pushed a commit
to GitRon/django-axes
that referenced
this issue
Jul 27, 2023
GitRon
pushed a commit
to GitRon/django-axes
that referenced
this issue
Jul 27, 2023
… to follow "privacy-by-design"
2 tasks
Thanks for the PR👍 |
Thx for merging! |
GitRon
pushed a commit
to GitRon/django-axes
that referenced
this issue
Aug 17, 2023
aleksihakli
pushed a commit
that referenced
this issue
Aug 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @aleksihakli
we found out that AXES logs IP and username to the configured Django log on a failed attempt. The IP address is critical by definition but the username is very often the email address of the user - so it's even more critical.
I would love to see a solution where we avoid logging any sensitive information - unless you explicitly want this and enable it.
So my suggestion:
AXES_VERBOSE
is set toFalse
by defaultget_client_str
method does not print the username when verbose mode is off but the User ID. This will help you as much as the username to find the specific user but you avoid spilling the data everywhere (like some fancy server or cloud logs)What do you think? Would you be open for a PR?
Best
Ronny
The text was updated successfully, but these errors were encountered: