nginx-opentracing icon indicating copy to clipboard operation
nginx-opentracing copied to clipboard

Published 20 hours ago verified publisher icon opentracing-contrib

Query parameters in "http.url" tag

Open pauqilaz opened this issue 2 years ago • 3 comments

The http.url span tag is currrently set to "$scheme://$http_host$request_uri" which includes the query parameters. Since these are more likely to contain sensitive information, would it make sense to remove the query parameters from the tag ?

Thanks!

pauqilaz avatar Apr 27 '22 14:04 pauqilaz

@pauqilaz You are right. I would advice to obfuscate/drop tag in opentelemetry collector side. Another suggestion to move sensitive information from query to headers, just because of this. The url is mostly likely be logged or shared in other places.

miry avatar Apr 27 '22 20:04 miry

Removing it altogether is one possibility, since it can still be re-added as an optional tag. Alternatively, replacing it with "$scheme://$http_host$uri" should already remove the query parameters.

pauqilaz avatar Apr 28 '22 08:04 pauqilaz

More about semantic convention of http.url in https://opentracing.io/specification/conventions/

http.url string URL of the request being handled in this segment of the trace, in standard URI format. E.g., "https://domain.net/path/to?resource=here"

miry avatar Apr 28 '22 10:04 miry