You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Enable request header tracing using enableRequestHeaderTracing. The Authorization/authorization header now gets logged and the token can be stolen by anybody looking at the logs.
Expected behavior
The Authorization/authorization header should not be logged, instead a redacted version should be logged, e.g. instead of Authorization: Bearer Asddsfsdafsdafdsafdsafdsaf it should say something like Authorization: {REDACTED}
Additional context
The text was updated successfully, but these errors were encountered:
1000% agree, I'm not sure how or why this has not been brought up before...
I'm sure that the Authorization header is not this only one to fall into this category, this (to me) sounds like we should add the ability to supply a config (which default to known headers) to define which headers to exclude or redact (as suggested) from this (and response header tracking)
I'll raise this with the team and we will try and get this into the next release.
Description/Screenshot
View in application insights portal:
Steps to Reproduce
Enable request header tracing using
enableRequestHeaderTracing
. TheAuthorization
/authorization
header now gets logged and the token can be stolen by anybody looking at the logs.Expected behavior
The
Authorization
/authorization
header should not be logged, instead a redacted version should be logged, e.g. instead ofAuthorization: Bearer Asddsfsdafsdafdsafdsafdsaf
it should say something likeAuthorization: {REDACTED}
Additional context
The text was updated successfully, but these errors were encountered: