Sensitive data redaction
Version 3.0.0 and above implement a sensitive data redaction system which disables logging of sensitive fields. These fields will contain ‘redacted’ instead of the original content or are omitted.
Following fields are redacted by default:
remote_ipremote_hostremote_portx_forwarded_forx_forwarded_hostx_forwarded_protox_custom_hostremote_userreferer
Following fields are omitted by default:
x_ssl_clientx_ssl_client_verifyx_ssl_client_subject_dnx_ssl_client_subject_cnx_ssl_client_issuer_dnx_ssl_client_notbeforex_ssl_client_notafterx_ssl_client_session_id
In order to activate usual logging for all or some of these fields you have to set specific environment variables:
| Environment Variable | Optional fields |
|---|---|
LOG_SENSITIVE_CONNECTION_DATA: true | activates the fields remote_ip, remote_host, remote_port, x_forwarded_* and x_custom_host |
LOG_REMOTE_USER: true | activates the field remote_user |
LOG_REFERER: true | activates the field referer |
LOG_SSL_HEADERS: true | activates the ssl header fields x_ssl_* |
This behavior matches with the corresponding mechanism in the CF Java Logging Support library.
If you want to override the default behaviour of sensitive data redaction please go to Configuration Fields