opentelemetry-js icon indicating copy to clipboard operation
opentelemetry-js copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

HTTP Span Attributes: url.full must not contain username / password, username and password should be redacted instead.

Open rads-1996 opened this issue 5 months ago • 0 comments
trafficstars

According to the specification - https://github.com/open-telemetry/semantic-conventions/blob/main/docs/http/http-spans.md, url.full MUST NOT contain credentials passed via URL in form of https://username:[email protected]/. In such case username and password SHOULD be redacted and attribute's value SHOULD be https://REDACTED:[email protected]/.

url.full SHOULD capture the absolute URL when it is available (or can be reconstructed).

Sensitive content provided in url.full SHOULD be scrubbed when instrumentations can identify it.

Query string values for the following keys SHOULD be redacted by default and replaced by the value REDACTED:

  • [AWSAccessKeyId]
  • [Signature]
  • [sig]
  • [X-Goog-Signature]

This list is subject to change over time.

rads-1996 avatar Jun 03 '25 17:06 rads-1996