Should have a way to filter things out of the logs. Poses a security issue as it stands.

[Altonymous]

I think there needs to be a way to create a "safe" list so that certain things are scrubbed from the logs

For instance

Params: map[username:Altonymous password:1234 confirm_password:1234 handle:Altonymous]

Should be:

Params: map[username:Altonymous password: confirm_password: handle:Altonymous]

[xntrik]

Hi @Altonymous and @hoisie - I've done a slight modification to server.go to provide a config attribute called OmitPostParams, which if set to true does NOT omit any POST parameters.

Is there interest in this getting patched in? If so I'll submit a pull request.

Usage is pretty simple: web.Config.OmitPostParams = true

Results in output like: 2016/02/19 14:56:26 1.2.3.4 - POST /saml_consume - 27.903774ms

[hoisie]

Thanks for posting this issue. I agree it's a security concern and needs to be fixed. I like the idea of having a way to disable param logging, but I think that could be achieved more effectively using log levels.

I was thinking of introducing a config option like Config.FilterParams which could be a list of sensitive param names. For example, if you'd like to filter out password and password_confirm, you could just use: Config.FilterParams = []string{"password", "password_confirm"}

[xntrik]

Great idea!

[hoisie]

Just created https://github.com/hoisie/web/pull/208. Config.FilterParams is a list of regular expression strings. I think that's a little more flexible than just hardcoding param names. Anyone want to take a look at that?