akka-tracing icon indicating copy to clipboard operation
akka-tracing copied to clipboard

Published 20 hours ago verified publisher icon levkhomich

Use whitelists rather then blacklists for header and query annotations

Open drpacman opened this issue 9 years ago • 3 comments

Hi Lev, It is hard to know upfront all possible security related headers (e.g. containing authentication tokens/user info etc) which risks leaking sensitive info into Zipkin traces.

My previous implementation took a blacklisting approach. Based on the above security concerns, I now realise it is more sensible to have use a whitelist for inclusion of query params and header values then a blacklist.

drpacman avatar Nov 26 '15 14:11 drpacman

Hi Lev, Good to see recent activity again on this repo. I have remerged from your updated master and resolved merge conflicts to make specific headers included. We have seen in our exploratory usage of akka-tracing that this feature is necessary as we have security credentials in headers (which vary across products) which must not be logged

drpacman avatar Apr 06 '16 11:04 drpacman

Coverage Status

Coverage increased (+0.3%) to 88.18% when pulling 4c6ff8e6985bcfdeded89633365baedcc3f63c4e on drpacman:master into fb4a6a18898b6e746764ba9ceaba7cd033cf5a55 on levkhomich:master.

coveralls avatar Apr 06 '16 11:04 coveralls

Coverage Status

Coverage increased (+0.2%) to 88.112% when pulling 4c6ff8e6985bcfdeded89633365baedcc3f63c4e on drpacman:master into fb4a6a18898b6e746764ba9ceaba7cd033cf5a55 on levkhomich:master.

coveralls avatar Apr 06 '16 22:04 coveralls