Configure sensitive fields that should be redacted

[JohnDuncanScott]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Hydra already redacts some fields for you, such as "cookie". There are other fields that should (according to our company guidelines) also be redacted, such as: headers: cf-connecting-ip forwarded x-forwarded-for

which contain IP address, which can be deemed as sensitive.

I have searched the Hydra docs and the issues in this repo and it does not appear that it's possible to choose what fields get redacted. In this particular case, it would be great to redact more fields by default (rather than the existing config option of showing the sensitive data).

Describe your ideal solution

Configuration option for Hydra to list other fields that should be redacted in addition to the default ones. This list would be merged with the internal one that contains "cookies", "query", etc..

Workarounds or alternatives

If there is a way of doing this that's undocumented in Hydra, that would be great to know :). This data could be scrubbed elsewhere potentially, like in DataDog for example, but since you're already doing redaction and just need to expose some config to add to it, I think it's a reasonable request?

Version

oryd/hydra:v1.11.10

Additional Context

No response

[alnr]

Same issue: https://github.com/ory/oathkeeper/issues/1081

Needs a fix in ory/x.