Unable to mask sensitive information in Request query params in Spring boot tomcat embedded access.log

Question

Unable to mask sensitive information in Request query params in Spring boot tomcat embedded access.log

dineshv1234567 opened this issue a year ago · 1 comments

Problem
Unable to mask sensitive information in Request query params in Spring boot tomcat embedded access.log

Details
I created Spring boot application with default tomcat server.
Reference: https://spring.io/blog/2014/03/07/deploying-spring-boot-applications
Now, when I enable tomcat access logs using application.properties as follows:

server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern='%h %l %u %t "%r" %s %b %D %F'
server.tomcat.accesslog.prefix=access
server.tomcat.accesslog.directory=/test/logs
server.tomcat.accesslog.suffix=.log

I can see the whole request with all query params passed, like this:
'0:0:0:0:0:0:0:1 - - [21/Aug/2023:14:01:53 +0530] "GET /hello/World?queryTest=dinesh@gmail.com HTTP/1.1" 200 13 20 19'

I tried different ways to mask the query params, that is email in above case, in access.log file, but nothing worked.

Version used
spring-boot-starter-parent: 2.6.6

Answer 1 · 2024-05-30T14:08:07.000Z

@dineshv1234567
You should not have sensitive data in request parameters. The request parameters form part of the url and will be logged by web servers.
The known sensitive headers and the body is not logged.