Details
Description
Currently the INFO log level reveals sensitive credentials even if they are passed in the request as headers, for example:
[info] 29#29: *149565 [lua] proxy.lua:82: output_debug_headers(): usage: usage%5Btest%5D=1 credentials: app_key=abcdefg123456&app_id=a1b2d3, client: 10.10.10.10, server: _, request: "GET /some/path HTTP/1.1", host: "some.host"
[info] 29#29: *149565 [lua] backend_client.lua:133: call_backend_transaction(): backend client uri: https://backend.test/transactions/authrep.xml?service_id=4&service_token=abcdefg&usage%5Btest%5D=1&app_key=abcdefghi1234567&app_id=0123abcd ok: true status: 200 body: error: nil, client: 10.10.10.10, server: _, request: "GET /some/path HTTP/1.1", host: "some.host"
The request is to only show such information when the log level is configured to debug
Attachments
Issue Links
- is related to
-
THREESCALE-2005 Ability to mask keys in the logs
- Closed