This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Mask the keys / password values before logging.

Posted on 07-27-2020 10:16 PM
ashwithds123
New Member
Reply posted on --/--/---- --:-- AM

@Dino-at-Google @Dino @Sheba Babu @Anil Sagar @ Google @marshg@google.com @Siddharth Barahalikar @Sai Saran Vaidyanathan @Jeremy Whitlock

Concern: Password is an attribute that is passed by the consumers. So, this value should not be logged in the splunk/kibana, we should mask the Password value as ******. And the password will be passed in either of three ways as mentioned. Is there any way to resolve this issue using REGEX with the help of javascript policy.

1. Passing data as json payload

{"password":"23434"}

2. Passing data as application/x-www-form-urlencoded

password=23434&id=34

3. Passing data as multipart/form-data

----------------------------94176712062927 Content-Disposition: form-data; name="password" 23434----------------------------941712062927 Content-Disposition: form-data; name="idd" new ----------------------------94116712062927--

Required Solution:

1.
{"password":"****"} 


2. application/x-www-form-urlencoded
password=****&id=34


3. multipart/form-data
----------------------------94176712062927 Content-Disposition: form-data; name="password" ***----------------------------941712062927 Content-Disposition: form-data; name="idd" new ----------------------------94116712062927--
0 4 1,590
Topic Labels
0 Likes
Reply
4 REPLIES 4

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

we don't log the payload of request and response. When you are sending the password in the body its not getting masked. What you can do is using javascript mask the payload content you want and set it to a variable, use the same variable for logging in messagelogging policy. This will no more have the values of username and password.

0 Likes
Reply

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

@Ashwith G

It's not recommended to log the request and response payload especially due to PII/PCI and any other compliance reasons. Apigee does not log/store any payloads. For your use case, I would recommend the same. What you should do is - to enable Data masking in Apigee so that it's not visible in Trace. This is important as it could show up as plain text. This addresses your compliance and also avoids creating a policy to obfuscate the sensitive information.

0 Likes
Reply

Posted on --/--/---- --:-- AM
ashwithds123
New Member
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

@sai - Yeah I agree with your point, my idea is to use REGEX in JS to just hide the value of the particular attribute(password).

0 Likes
Reply

Posted on --/--/---- --:-- AM
Prashant819
Bronze 3
Bronze 3
In response to ashwithds123
Reply posted on --/--/---- --:-- AM

@ashwithds123  - how did you go with masking sensitive fields before logging to Splunk?

0 Likes
Reply