ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Config: Do not log URL parameters.

Open RichardoC opened this issue 8 months ago • 21 comments

What this PR does / why we need it:

The default logging configuration will capture the url query strings, which often have sensitive information in them [1] This PR changes that behaviour so these are no longer logged by default.

This has already been reported to [email protected], and they said to open a public PR about it.

[1] https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] CVE Report (Scanner found CVE and adding report)
  • [X] Breaking change (fix or feature that would cause existing functionality to change)
  • [ ] Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Already running with this configuration on my own cluster

Checklist:

  • [X] My change requires a change to the documentation.
  • [X] I have updated the documentation accordingly.
  • [X] I've read the CONTRIBUTION guide
  • [X] I have added unit and/or e2e tests to cover my changes.
  • [] All new and existing tests passed.

RichardoC avatar Feb 21 '25 10:02 RichardoC