Skip to main content

data-mask

The data-mask plugin provides the capability to remove or replace sensitive information in request headers, request bodies, and URL queries.

Examples

The examples below demonstrate how you can use the data-mask plugin for different scenarios.

While all examples use the file-logger plugin for logging, it is only used to show that information has been successfully masked. Adjust accordingly per your use case.

Mask Sensitive Information in URL Query

The following example demonstrates how you can mask sensitive information in the request URL queries, before the request is logged to a local file by the file-logger plugin.

Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:

curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"name": "password",
"type": "query"
},
{
"action": "replace",
"name": "token",
"type": "query",
"value": "*****"
},
{
"action": "regex",
"name": "card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "query",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"path": "/tmp/mask-query.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'

❶ data masking rule to remove password URL query from the request.

❷ data masking rule to replace the value of token URL query with *****.

❸ data masking rule that matches card number in the URL query with RegEx and mask the middle portion of the card number.

❹ path to the log file on the filesystem where logs should be saved.

Send a request to the route with sensitive information in URL queries:

curl -i "http://127.0.0.1:9080/anything?password=abc&token=xyz&card=1234-1234-1234-1234"

You should receive an HTTP/1.1 200 OK response.

Navigating to the /tmp/mask-query.log file and examining the log content, you should see a log entry similar to the following:

{
"request": {
"uri": "/anything?token=*****&card=1234-****-****-1234",
"method": "GET",
"url": "http://127.0.0.1:9080/anything?token=*****&card=1234-****-****-1234",
"querystring": {
"token": "*****",
"card": "1234-****-****-1234"
}
}
}

Mask Sensitive Information in Request Headers

The following example demonstrates how you can mask sensitive information in request headers, before the request is logged to a local file by the file-logger plugin.

Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:

curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"name": "password",
"type": "header"
},
{
"action": "replace",
"name": "token",
"type": "header",
"value": "*****"
},
{
"action": "regex",
"name": "card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "header",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"path": "/tmp/mask-header.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'

❶ data masking rule to remove password header from the request.

❷ data masking rule to replace the value of token request header with *****.

❸ data masking rule that matches card number in the request header with RegEx and mask the middle portion of the card number.

❹ path to the log file on the filesystem where logs should be saved.

Send a POST request to the route with sensitive information in headers:

curl -i "http://127.0.0.1:9080/anything" -X POST \
-H "password: abc" \
-H "token: xyz" \
-H "card: 1234-1234-1234-1234"

You should receive an HTTP/1.1 200 OK response.

Navigating to the /tmp/mask-header.log file and examining the log content, you should see a log entry similar to the following:

{
"request": {
"uri": "/anything",
"method": "GET",
"url": "http://127.0.0.1:9080/anything",
"headers": {
"user-agent": "curl/8.6.0",
"token": "*****",
"card": "1234-****-****-1234"
}
}
}

Mask Sensitive Information in URL-Encoded Request Bodies

The following example demonstrates how you can mask sensitive information in URL-encoded request bodies, before the request is logged to a local file by the file-logger plugin.

Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:

curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"body_format": "urlencoded",
"name": "password",
"type": "body"
},
{
"action": "replace",
"body_format": "urlencoded",
"name": "token",
"type": "body",
"value": "*****"
},
{
"action": "regex",
"body_format": "urlencoded",
"name": "card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "body",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"include_req_body": true,
"path": "/tmp/mask-urlencoded-body.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'

❶ data masking rule to remove password information from the request body.

❷ data masking rule to replace token information in the request body with *****.

❸ data masking rule that matches card number in the request body with RegEx and mask the middle portion of the card number.

❹ path to the log file on the filesystem where logs should be saved.

Send a request to the route:

curl -i "http://127.0.0.1:9080/anything" \
--data-urlencode "password=abc" \
--data-urlencode "token=xyz" \
--data-urlencode "card=1234-1234-1234-1234"

You should receive an HTTP/1.1 200 OK response.

Navigating to the /tmp/mask-urlencoded-body.log file and examining the log content, you should see a log entry similar to the following:

{
"request": {
"uri": "/anything",
"body": "token=*****&card=1234-****-****-1234",
"method": "POST",
"url": "http://127.0.0.1:9080/anything"
}
}

Mask Sensitive Information in JSON-Encoded Request Bodies

The following example demonstrates how you can mask sensitive information in JSON-encoded request bodies using JSON path syntax in the plugin to look for the target field, before the request is logged to a local file by the file-logger plugin.

Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:

curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"body_format": "json",
"name": "$.password",
"type": "body"
},
{
"action": "replace",
"body_format": "json",
"name": "users[*].token",
"type": "body",
"value": "*****"
},
{
"action": "regex",
"body_format": "json",
"name": "$.users[*].credit.card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "body",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"path": "/tmp/mask-json-body.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'

❶ data masking rule to remove password information from the request body.

❷ data masking rule to replace token information in the request body with *****.

❸ data masking rule that matches card number in the request body with RegEx and mask the middle portion of the card number.

❹ path to the log file on the filesystem where logs should be saved.

Send a request to the route with sensitive information in the request body:

curl -i "http://127.0.0.1:9080/anything" -X POST -d '
{
"password": "abc",
"users": [
{
"token": "xyz",
"credit": {
"card": "1234-1234-1234-1234"
}
},
{
"token": "xyz",
"credit": {
"card": "1234-1234-1234-1234"
}
}
]
}'

You should receive an HTTP/1.1 200 OK response.

Navigating to the /tmp/mask-json-body.log file and examining the log content, you should see a log entry similar to the following:

{
"request": {
"uri": "/anything",
"body": "{\"users\":[{\"token\":\"*****\",\"credit\":{\"card\":\"1234-****-****-1234\"}},{\"token\":\"*****\",\"credit\":{\"card\":\"1234-****-****-1234\"}}]}",
"method": "POST",
"url": "http://127.0.0.1:9080/anything"
}
}

API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation