postlund
Mask sensitive information in debug logs
What feature would you like? Most things are not that sensitive, but others are. So I feel that it would be good to make at least a small effort to hide the most basic things that are considered private.
Describe the solution you'd like A simple solution is to mask certain things based on regexp, e.g. replace last three octets with XX:XX:XX in a MAC address or parts of credentials with XXX. One minor issue is that two similar things that are masked are potentially masked to the same value, which might be confusing.
There also needs to be some way to disable masking, e.g by calling a certain function, as that helps with debugging.
A very important factor to consider here is overhead/performance. The best way, hands down, would be to write a filter or formatter to the logging framework which masks things regardless of where it comes from. This is very generic and I wouldn't have to make any other adjustments to the code. It however has the downside of being run on every log call, so it might add some overhead. Other alternative is to manually mask in places where consider relevant. I haven't decided which way to go yet.
Any other information to share? One note here. Some things might hide (as hex) in sent or received data. That is very hard to guard for in a generic way, so I'm gonna ignore that for now. Maybe later I can provide better protection for that (maybe by disabling those logs in that case or cripple the output).
