diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-11-22 11:31:50 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-11-22 11:31:50 -0700 |
commit | 7d5047c1f190421528695e1cc3a4ad71c97eb022 (patch) | |
tree | 8164412b2543b79ab73f1ae97cf3881e74e53e7f /modules/caddyhttp | |
parent | 7f364c777acfc1a0c8c3c62d9c3ad001fb1ea6df (diff) |
caddyhttp: Log empty value for typical password headers
Work around for common misconfiguration
Diffstat (limited to 'modules/caddyhttp')
-rw-r--r-- | modules/caddyhttp/marshalers.go | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/modules/caddyhttp/marshalers.go b/modules/caddyhttp/marshalers.go index 8001bd8..bbb703c 100644 --- a/modules/caddyhttp/marshalers.go +++ b/modules/caddyhttp/marshalers.go @@ -17,6 +17,7 @@ package caddyhttp import ( "crypto/tls" "net/http" + "strings" "go.uber.org/zap/zapcore" ) @@ -39,6 +40,8 @@ func (r LoggableHTTPRequest) MarshalLogObject(enc zapcore.ObjectEncoder) error { } // LoggableHTTPHeader makes an HTTP header loggable with zap.Object(). +// Headers with potentially sensitive information (Cookie, Authorization, +// and Proxy-Authorization) are logged with empty values. type LoggableHTTPHeader http.Header // MarshalLogObject satisfies the zapcore.ObjectMarshaler interface. @@ -47,6 +50,10 @@ func (h LoggableHTTPHeader) MarshalLogObject(enc zapcore.ObjectEncoder) error { return nil } for key, val := range h { + switch strings.ToLower(key) { + case "cookie", "authorization", "proxy-authorization": + val = []string{} + } enc.AddArray(key, LoggableStringArray(val)) } return nil @@ -75,8 +82,6 @@ func (t LoggableTLSConnState) MarshalLogObject(enc zapcore.ObjectEncoder) error enc.AddUint16("version", t.Version) enc.AddUint16("cipher_suite", t.CipherSuite) enc.AddString("proto", t.NegotiatedProtocol) - // NegotiatedProtocolIsMutual is deprecated - it's always true - enc.AddBool("proto_mutual", true) enc.AddString("server_name", t.ServerName) if len(t.PeerCertificates) > 0 { enc.AddString("client_common_name", t.PeerCertificates[0].Subject.CommonName) |