Copy link to clipboard
Copied
Working on a new project that utilizes cfhttp to make a call to a remote site. The authentication to this site uses a unique account key that is passed in the url. This key is decrypted and passed in at the time of the cfhttp call. I'm able to make calls without any issues (get, put, post, etc) but upon reviewing logs(http.log and coldfusion-out.log), I noticed the account key is saved in plain text. I tried placing the key into a cfhttpparam as a type url but the log still reveals the same plain text key.
I would like to prevent the key from being "stored/logged" anywhere for obvious reasons. Is there some way to modify the logging level? Any way to modify the logs if a certain string is found? Maybe some other method that I should use?
I appreciate any advice.
Copy link to clipboard
Copied
Let's first get one thing out of the way. Placing a key into a cfhttpparam of type url is the same as appending Key=Value to the URL after the question-mark.
The behaviour you observe - logging of URL requests, including URL parameters - is so by design. Not only in ColdFusion. That is typical of every application server.
You will see that behaviour in browsers, too. They will save the entire URL request, including query-string, in their history. Cfhttp is essentially a browser.
The moral is clear. You should
These two resources offer you more information:
https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl
https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
Copy link to clipboard
Copied
Thank you for the response, I appreciate the infomation you gave. That all makes sense. It sounds like there is no way to improve upon what I'm already doing, unless I'm given another way to authenticate from our vendor.
I'm still suprised that there isn't a way to create filters for these logs, or adjust the logging level.
Copy link to clipboard
Copied
I do believe that it is possible to create filters for the logs. But you probably will have to tinker with the underlying Java classes. For example, classes like java.util.logging.Filter, java.util.logging.Logger and java.util.logging.LogRecord.
Search the WWW. You might find code examples or even complete log-filtering tools.