AnsweredAssumed Answered

Change log to not include POST parameter value?

Question asked by CBertagnolli Champion on Jan 5, 2018
Latest reply on Jan 19, 2018 by Mark_HE

We are working with a using XPath credentials and part of security policy included "Protect Against Code Injection" protection of the body.

 

Came across a password that fired it off and that password ended up being logged in clear in the log file. That would allow folks who shouldn't have access to it to know the key.

 

Is there a recommended way to keep this from happening with POST body and still get the code injection protection? I wouldn't want to change it globally for non-sensitive POST data, but for sensitive POST content want to ensure the actual value is masked in some way or something.

 

I'd want it applied to only very specific policies where sensitive stuff is present. Everything else would be fine, and better, to have the value to know what someone was trying to send across.

 

WARNING 5687 com.l7tech.server.policy.assertion.ServerCodeInjectionProtectionAssertion: 7154: [password was here]... detected in Request message body

Outcomes