-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IHttpClientBuilder should have extension to redact query parameter from logging #68675
Comments
Tagging subscribers to this area: @dotnet/ncl Issue DetailsThe current implementation of Microsoft.Extensions.Http logging framework redact headers value based on user input however it does not support redact sensitive information from query parameters, which is kind of security issue. For customers that are more concerned about this logging risk or have to meet audit requirements for all their integrated services it is important to redact query parameters value based on users input. The problem lies here - runtime/src/libraries/Microsoft.Extensions.Http/src/Logging/LoggingScopeHttpMessageHandler.cs Line 133 in 215b39a
We could implement this feature same way as we have a extension in IHttpClientBuilder to redact from header. Line 463 in 215b39a
We might name this extension Thanks,
|
Tagging subscribers to this area: @dotnet/ncl Issue DetailsThe current implementation of Microsoft.Extensions.Http logging framework redact headers value based on user input however it does not support redact sensitive information from query parameters, which is kind of security issue. For customers that are more concerned about this logging risk or have to meet audit requirements for all their integrated services it is important to redact query parameters value based on users input. The problem lies here - runtime/src/libraries/Microsoft.Extensions.Http/src/Logging/LoggingScopeHttpMessageHandler.cs Line 133 in 215b39a
We could implement this feature same way as we have a extension in IHttpClientBuilder to redact from header. Line 463 in 215b39a
We might name this extension Thanks,
|
Thanks for raising the concern @anktsrkr. As a quick workaround for the time being, you can consider removing the logging entirely by putting that code after all your services.RemoveAll<IHttpMessageHandlerBuilderFilter>(); |
Triage: URIs aren’t meant to contain secrets for various reasons, e.g. proxies. But we still might want to add some way to control this. Given there's a workaround, moving to future. |
Note that #74339 asked for redacting not only query parameters, but path as well |
FWIW, even the new HTTP logging in ASP.NET defaults to logging the path (though it is configurable). |
Duplicate of #77312 |
The current implementation of Microsoft.Extensions.Http logging framework redact headers value based on user input however it does not support redact sensitive information from query parameters, which is kind of security issue.
For customers that are more concerned about this logging risk or have to meet audit requirements for all their integrated services it is important to redact query parameters value based on users input.
The problem lies here -
runtime/src/libraries/Microsoft.Extensions.Http/src/Logging/LoggingScopeHttpMessageHandler.cs
Line 133 in 215b39a
We could implement this feature same way as we have a extension in IHttpClientBuilder to redact from header.
runtime/src/libraries/Microsoft.Extensions.Http/src/DependencyInjection/HttpClientBuilderExtensions.cs
Line 463 in 215b39a
We might name this extension
RedactLoggedQueryParameters
Thanks,
Ankit S
The text was updated successfully, but these errors were encountered: