Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE REQUEST: Logging without sensitive data by default (privacy by design) #1093

Closed
GitRon opened this issue Jul 25, 2023 · 3 comments · Fixed by #1095
Closed

FEATURE REQUEST: Logging without sensitive data by default (privacy by design) #1093

GitRon opened this issue Jul 25, 2023 · 3 comments · Fixed by #1095
Labels
feature request

Comments

@GitRon
Copy link
Contributor

GitRon commented Jul 25, 2023

Hi @aleksihakli

we found out that AXES logs IP and username to the configured Django log on a failed attempt. The IP address is critical by definition but the username is very often the email address of the user - so it's even more critical.

I would love to see a solution where we avoid logging any sensitive information - unless you explicitly want this and enable it.

So my suggestion:

  • AXES_VERBOSE is set to False by default
  • The get_client_str method does not print the username when verbose mode is off but the User ID. This will help you as much as the username to find the specific user but you avoid spilling the data everywhere (like some fancy server or cloud logs)

What do you think? Would you be open for a PR?

Best
Ronny
@aleksihakli
Copy link
Member

Sure thing, like I said in #438 if you have an idea for the improvement we're always open for PRs.

GitRon pushed a commit to GitRon/django-axes that referenced this issue Jul 26, 2023
jazzband#1093: Privacy by Design for Logging
3fb510f
GitRon pushed a commit to GitRon/django-axes that referenced this issue Jul 26, 2023
Merge branch 'master' into feature/jazzband#1093-privacy-by-design
3b81950 
# Conflicts:
#	axes/helpers.py
#	tests/test_helpers.py
GitRon pushed a commit to GitRon/django-axes that referenced this issue Jul 27, 2023
jazzband#1093: Privacy by Design for Logging
b6c1a84
GitRon pushed a commit to GitRon/django-axes that referenced this issue Jul 27, 2023
jazzband#1093: Privacy by Design for Logging
a7782dd
GitRon pushed a commit to GitRon/django-axes that referenced this issue Jul 27, 2023
jazzband#1093: "AXES_SENSITIVE_PARAMETERS" now have sensible defaults…
e86ffbc 
… to follow "privacy-by-design"
@GitRon GitRon mentioned this issue Jul 27, 2023
Merged
2 tasks
@aleksihakli
Copy link
Member

Thanks for the PR👍

aleksihakli pushed a commit that referenced this issue Jul 30, 2023
@aleksihakli
#1093: "AXES_SENSITIVE_PARAMETERS" now have sensible defaults to foll…
e9db2d9 
…ow "privacy-by-design"
@GitRon
Copy link
Contributor Author

GitRon commented Jul 31, 2023

Thx for merging!

GitRon pushed a commit to GitRon/django-axes that referenced this issue Aug 17, 2023
jazzband#1093: Setting proper headline (h2) for GDPR section
0e2b46c
aleksihakli pushed a commit that referenced this issue Aug 19, 2023
@aleksihakli
#1093: Setting proper headline (h2) for GDPR section
b14e586
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#1093: "AXES_SENSITIVE_PARAMETERS" now have sensible defaults to fol… GitRon/django-axes
2 participants
@aleksihakli @GitRon