Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Authorization header included when enableRequestHeaderTracking is enabled #1569

Closed
mauve opened this issue May 26, 2021 · 3 comments · Fixed by #1570
Closed

[BUG] Authorization header included when enableRequestHeaderTracking is enabled #1569

mauve opened this issue May 26, 2021 · 3 comments · Fixed by #1570
Assignees
@Karlie-777
Labels
enhancement p1 possible security concern production released - NPM
Milestone
2.6.3

Comments

@mauve
Copy link

mauve commented May 26, 2021

Description/Screenshot

View in application insights portal:

image

Steps to Reproduce

  • OS/Browser: any
  • SDK Version [e.g. 22]: 2.6.2
  • How you initialized the SDK:
ai = new ApplicationInsights({
    config: {
      instrumentationKey: key,
      disableFetchTracking: false,
      enableCorsCorrelation: true,
      enableRequestHeaderTracking: true,
      enableResponseHeaderTracking: true
    }
  });

Enable request header tracing using enableRequestHeaderTracing. The Authorization/authorization header now gets logged and the token can be stolen by anybody looking at the logs.

Expected behavior

The Authorization/authorization header should not be logged, instead a redacted version should be logged, e.g. instead of Authorization: Bearer Asddsfsdafsdafdsafdsafdsaf it should say something like Authorization: {REDACTED}

Additional context
@MSNev
Copy link
Collaborator

MSNev commented May 26, 2021

1000% agree, I'm not sure how or why this has not been brought up before...

I'm sure that the Authorization header is not this only one to fall into this category, this (to me) sounds like we should add the ability to supply a config (which default to known headers) to define which headers to exclude or redact (as suggested) from this (and response header tracking)

I'll raise this with the team and we will try and get this into the next release.

@MSNev MSNev added this to the 2.x.x (Next) milestone May 27, 2021
@MSNev MSNev added the fixed - waiting release PR Committed and waiting deployment label May 27, 2021
@MSNev MSNev linked a pull request Jun 7, 2021 that will close this issue
Ignore auth headers in AjaxDependencyPlugin #1570
Merged
@MSNev
Copy link
Collaborator

MSNev commented Jun 10, 2021

v2.6.3 is now fully deployed

@MSNev MSNev closed this as completed Jun 10, 2021
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 11, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Karlie-777 Karlie-777

Labels
enhancement p1 possible security concern production released - NPM
Projects
None yet
Milestone
2.6.3
Development

Successfully merging a pull request may close this issue.

Ignore auth headers in AjaxDependencyPlugin microsoft/ApplicationInsights-JS
3 participants
@mauve @MSNev @Karlie-777