data-mask
The data-mask plugin provides the capability to remove or replace sensitive information in request headers, request bodies, and URL queries.
Examples
The examples below demonstrate how you can use the data-mask plugin for different scenarios.
While all examples use the file-logger plugin for logging, it is only used to show that information has been successfully masked. Adjust accordingly per your use case.
Mask Sensitive Information in URL Query
The following example demonstrates how you can mask sensitive information in the request URL queries, before the request is logged to a local file by the file-logger plugin.
Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"name": "password",
"type": "query"
},
{
"action": "replace",
"name": "token",
"type": "query",
"value": "*****"
},
{
"action": "regex",
"name": "card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "query",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"path": "/tmp/mask-query.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'
❶ data masking rule to remove password URL query from the request.
❷ data masking rule to replace the value of token URL query with *****.
❸ data masking rule that matches card number in the URL query with RegEx and mask the middle portion of the card number.
❹ path to the log file on the filesystem where logs should be saved.
Send a request to the route with sensitive information in URL queries:
curl -i "http://127.0.0.1:9080/anything?password=abc&token=xyz&card=1234-1234-1234-1234"
You should receive an HTTP/1.1 200 OK response.
Navigating to the /tmp/mask-query.log file and examining the log content, you should see a log entry similar to the following:
{
"request": {
"uri": "/anything?token=*****&card=1234-****-****-1234",
"method": "GET",
"url": "http://127.0.0.1:9080/anything?token=*****&card=1234-****-****-1234",
"querystring": {
"token": "*****",
"card": "1234-****-****-1234"
}
}
}
Mask Sensitive Information in Request Headers
The following example demonstrates how you can mask sensitive information in request headers, before the request is logged to a local file by the file-logger plugin.
Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"name": "password",
"type": "header"
},
{
"action": "replace",
"name": "token",
"type": "header",
"value": "*****"
},
{
"action": "regex",
"name": "card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "header",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"path": "/tmp/mask-header.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'
❶ data masking rule to remove password header from the request.
❷ data masking rule to replace the value of token request header with *****.
❸ data masking rule that matches card number in the request header with RegEx and mask the middle portion of the card number.
❹ path to the log file on the filesystem where logs should be saved.
Send a POST request to the route with sensitive information in headers:
curl -i "http://127.0.0.1:9080/anything" -X POST \
-H "password: abc" \
-H "token: xyz" \
-H "card: 1234-1234-1234-1234"
You should receive an HTTP/1.1 200 OK response.
Navigating to the /tmp/mask-header.log file and examining the log content, you should see a log entry similar to the following:
{
"request": {
"uri": "/anything",
"method": "GET",
"url": "http://127.0.0.1:9080/anything",
"headers": {
"user-agent": "curl/8.6.0",
"token": "*****",
"card": "1234-****-****-1234"
}
}
}
Mask Sensitive Information in URL-Encoded Request Bodies
The following example demonstrates how you can mask sensitive information in URL-encoded request bodies, before the request is logged to a local file by the file-logger plugin.
Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"body_format": "urlencoded",
"name": "password",
"type": "body"
},
{
"action": "replace",
"body_format": "urlencoded",
"name": "token",
"type": "body",
"value": "*****"
},
{
"action": "regex",
"body_format": "urlencoded",
"name": "card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "body",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"include_req_body": true,
"path": "/tmp/mask-urlencoded-body.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'
❶ data masking rule to remove password information from the request body.
❷ data masking rule to replace token information in the request body with *****.
❸ data masking rule that matches card number in the request body with RegEx and mask the middle portion of the card number.
❹ path to the log file on the filesystem where logs should be saved.
Send a request to the route:
curl -i "http://127.0.0.1:9080/anything" \
--data-urlencode "password=abc" \
--data-urlencode "token=xyz" \
--data-urlencode "card=1234-1234-1234-1234"
You should receive an HTTP/1.1 200 OK response.
Navigating to the /tmp/mask-urlencoded-body.log file and examining the log content, you should see a log entry similar to the following:
{
"request": {
"uri": "/anything",
"body": "token=*****&card=1234-****-****-1234",
"method": "POST",
"url": "http://127.0.0.1:9080/anything"
}
}
Mask Sensitive Information in JSON-Encoded Request Bodies
The following example demonstrates how you can mask sensitive information in JSON-encoded request bodies using JSON path syntax in the plugin to look for the target field, before the request is logged to a local file by the file-logger plugin.
Create a route with the file-logger plugin to log requests and the data-mask plugin with three data masking rules:
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \
-H "X-API-KEY: ${ADMIN_API_KEY}" \
-d '{
"id": "data-mask-route",
"uri": "/anything",
"plugins": {
"data-mask": {
"request": [
{
"action": "remove",
"body_format": "json",
"name": "$.password",
"type": "body"
},
{
"action": "replace",
"body_format": "json",
"name": "users[*].token",
"type": "body",
"value": "*****"
},
{
"action": "regex",
"body_format": "json",
"name": "$.users[*].credit.card",
"regex": "(\\d+)\\-\\d+\\-\\d+\\-(\\d+)",
"type": "body",
"value": "$1-****-****-$2"
}
]
},
"file-logger": {
"path": "/tmp/mask-json-body.log"
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbin.org:80": 1
}
}
}'
❶ data masking rule to remove password information from the request body.
❷ data masking rule to replace token information in the request body with *****.
❸ data masking rule that matches card number in the request body with RegEx and mask the middle portion of the card number.
❹ path to the log file on the filesystem where logs should be saved.
Send a request to the route with sensitive information in the request body:
curl -i "http://127.0.0.1:9080/anything" -X POST -d '
{
"password": "abc",
"users": [
{
"token": "xyz",
"credit": {
"card": "1234-1234-1234-1234"
}
},
{
"token": "xyz",
"credit": {
"card": "1234-1234-1234-1234"
}
}
]
}'
You should receive an HTTP/1.1 200 OK response.
Navigating to the /tmp/mask-json-body.log file and examining the log content, you should see a log entry similar to the following:
{
"request": {
"uri": "/anything",
"body": "{\"users\":[{\"token\":\"*****\",\"credit\":{\"card\":\"1234-****-****-1234\"}},{\"token\":\"*****\",\"credit\":{\"card\":\"1234-****-****-1234\"}}]}",
"method": "POST",
"url": "http://127.0.0.1:9080/anything"
}
}