ory
feat: add configurable header redaction for logs
When configuring oathkeeper to use a non standard auth header (such as token_from in the jwt authenticator), oathkeeper currently logs these tokens in plain text when configured at log level INFO or above. There is no way currently to append additional headers to the default list of redacted headers.
I considered implementing a matcher for some of these fields, but went with a more generic solution that allows the user to choose which arbitrary headers to redact from logging.
Add support for log.redact_headers configuration option to redact additional sensitive headers beyond the defaults (authorization, cookie, set-cookie, x-session-token). Headers specified in this configuration will have their values masked in log output.
Example configuration
log:
redact_headers:
- x-custom-authorization
- x-api-key
Related issue(s)
Checklist
- [x] I have read the contributing guidelines.
- [ ] I have referenced an issue containing the design document if my change introduces a new feature.
- [x] I am following the contributing code guidelines.
- [x] I have read the security policy.
- [ ] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [email protected]) from the maintainers to push the changes.
- [x] I have added tests that prove my fix is effective or that my feature works.
- [x] I have added or changed the documentation.
