Removing Authorization headers from logs #52
Replies: 1 comment 7 replies
-
|
Hey @Sachin4403, I agree. Two suggestions I have heard so far are (1) Follow this implementation you show by removing the sensitive headers and (2) Instead of logging all headers, only log those we think we need. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @joe94, We need to do something here also. Here we are printing the AuthToken in logs. |
Beta Was this translation helpful? Give feedback.
-
|
@Sachin4403, those entries could be filtered out in your production environment by setting your log level to something above debug (i.e. |
Beta Was this translation helpful? Give feedback.
-
|
Okay, @joe94 will change the log level. |
Beta Was this translation helpful? Give feedback.
-
|
@Sachin4403, could you mark this question as "answered"/"resolved"? thanks! |
Beta Was this translation helpful? Give feedback.
-
Hi @joe94, I am not getting an option to mark this as resolved. Can you do it from your end? |
Beta Was this translation helpful? Give feedback.
-
We want to skip Authorisation being printed in logs. Anyone who is having access to those logs can harm the system using Authorization and we will never know who did this. Already this is implemented in argus.
https://github.com/xmidt-org/argus/blob/c2562df18c76f64ff59262c55a45bb5804566a00/auth/logger.go#L49-L58
Beta Was this translation helpful? Give feedback.
All reactions