flagsmith
flagsmith copied to clipboard
Flagsmith
Allow configuration to remove sensitive data from flags responses
We should add a configuration (at the environment or project level?) to remove descriptions from the response. Alternatively, we could add another field to the feature, in which you can store more sensitive information.
Is this for SDK endpoints? If yes - I don't think we need it since we have removed this field entirely in edge, no?
At the moment, the responses to flags (from the Core API) includes the feature description and tags fields. These are not necessary to return and potentially sensitive.
Implemented here: https://github.com/Flagsmith/flagsmith/pull/2017 NOTE: please read the discussion on the above PR for more context
Tldr: a flag named hide_sensitive_data has been added to the environment endpoint that(if enabled) will make the flags response looks like the response from edge-api and will also not return traits for identity endpoints
@gagantrivedi I think this is just waiting the frontend piece, is that correct?
@matthewelwell, For the frontend changes, should we request the endpoint to hide sensitive data solely based on the value of the hide_sensitive_data feature flag, or should we allow the admins to set this behavior somewhere as you proposed in the first comment?
@matthewelwell, For the frontend changes, should we request the endpoint to hide sensitive data solely based on the value of the
hide_sensitive_datafeature flag, or should we allow the admins to set this behavior somewhere as you proposed in the first comment?
Yeah, we went with the first approach, and it is now a configuration at the environment level
@gagantrivedi I think this still needs implementing in the Edge API? For example, the traits need removing on the identities endpoints. Also, we should add a PR for the docs to confirm which fields are removed on which endpoints.