Skip to main content
A
anthonyh10294258
Participant
April 24, 2023
Question

Remove sensitive info from logs

  • April 24, 2023
  • 1 reply
  • 383 views

Working on a new project that utilizes cfhttp to make a call to a remote site. The authentication to this site uses a unique account key that is passed in the url. This key is decrypted and passed in at the time of the cfhttp call. I'm able to make calls without any issues (get, put, post, etc) but upon reviewing logs(http.log and coldfusion-out.log), I noticed the account key is saved in plain text. I tried placing the key into a cfhttpparam as a type url but the log still reveals the same plain text key.

 

I would like to prevent the key from being "stored/logged" anywhere for obvious reasons. Is there some way to modify the logging level? Any way to modify the logs if a certain string is found? Maybe some other method that I should use?

 

I appreciate any advice.

This topic has been closed for replies.

1 reply

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
May 1, 2023

Let's first get one thing out of the way. Placing a key into a cfhttpparam of type url is the same as appending Key=Value to the URL after the question-mark.

 

The behaviour you observe - logging of URL requests, including URL parameters - is so by design. Not only in ColdFusion. That is typical of every application server.

 

You will see that behaviour in browsers, too. They will save the entire URL request, including query-string, in their history. Cfhttp is essentially a browser. 

 

The moral is clear. You should

  1. Pass the key in the body of the cfhttp request, instead of as URL parameter, if you don't want the key to be logged.
  2. Use HTTPS, if you don't want unauthorized access to the URL data during the request.
  3.  Use file or directory permissions to restrict access to the ColdFusion logs, if you have no choice but to use URL parameters. 

 

These two resources offer you more information:

https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl

https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

 

A
anthonyh10294258Author
Participant
May 5, 2023

Thank you for the response, I appreciate the infomation you gave. That all makes sense. It sounds like there is no way to improve upon what I'm already doing, unless I'm given another way to authenticate from our vendor. 

 

I'm still suprised that there isn't a way to create filters for these logs, or adjust the logging level.

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
May 9, 2023

I do believe that it is possible to create filters for the logs. But you probably will have to tinker with the underlying Java classes. For example, classes like java.util.logging.Filter, java.util.logging.Logger and java.util.logging.LogRecord.

 

Search the WWW. You might find code examples or even complete log-filtering tools.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices