Comments (5)
Great that you bring this up. In my past work, I was very heavily involved in the GDPR discussions especially around logging PII data and URLs were a common thing that got missed. I do agree that we should not log any of that not even the header keys since they are also sometimes used to include PII information.
In general, I don't like the approach of tying this to a log level since that still can lead to PII information being logged when somebody is trying to debug a totally different part of an application. Another idea that I had was introducing a logging configuration to AHC similar to what we do in service-lifecycle. This would allow us to let users configure logging keys used by AHC and we can make the ones for headers/urls/etc stand out and optional to indicate that these may contain PII
from async-http-client.
Yes, doing something with the keys is also important. We definitely need to document what we do here (there's a logging design doc already in this repo) and make it such that a user can prevent PII from being logged at all.
This issue is of course affecting much more than just AHC but AHC should help. The only proper solution is to explicitly allow-list metadata keys in the LogHandler that can be logged and everything else probably needs to be scrambled/removed/hashed/...
from async-http-client.
I wonder if scrambling in a LogHandler or making logging keys configurable in every library is better. Like if every log key becomes optional with some sane default values that might work as well. I agree though we should document it here and also in the broader ecosystem
from async-http-client.
I wonder if scrambling in a LogHandler or making logging keys configurable in every library is better. Like if every log key becomes optional with some sane default values that might work as well. I agree though we should document it here and also in the broader ecosystem
Yeah, everything is kinda tricky. A library just can't know, sometimes URLs contain PII and sometimes they really don't. Even within the same app some part might be using AHC with sensitive URLs and another part might use AHC where logging URLs is completely benign.
from async-http-client.
Yeah, everything is kinda tricky. A library just can't know, sometimes URLs contain PII and sometimes they really don't. Even within the same app some part might be using AHC with sensitive URLs and another part might use AHC where logging URLs is completely benign.
Right, that's why I think a per client config that you can pass the logging keys might work here. Users are then able to either set the keys nor not depending on if they know that there is no PII in there.
from async-http-client.
Related Issues (20)
- Linker Error on using AsyncHTTPClient while using Vapor inside XCode Project HOT 2
- crashed: free(): corrupted unsorted chunks #2617 HOT 5
- Support for SSE (EventSource) HOT 3
- _
- Different results for the same request on mac OS and Linux HOT 1
- README.md async/await example does not compile HOT 1
- Crash: precondition failure in HTTPConnectionPool+HTTP2Connections.swift:209 HOT 2
- Remove swift-docc-plugin dependency
- Too low of a decompression ratio in `HTTPClient.shared` settings HOT 11
- `Connection refused` not throwing right away HOT 6
- Rename and clarify the `body.collect(upTo:)` API which gets used in an insecure way all the time HOT 1
- How to initiate a request using a socks5 proxy with authentication? HOT 3
- OOM if setting `concurrentHTTP1ConnectionsPerHostSoftLimit: .max`
- `HTTPClient.execute(...) async throws` API violates Structured Concurrency HOT 17
- Canceling a download `Task` doesn't actually cancel it? HOT 3
- 7% of the overall runtime spent in `SelectableEventLoop.debugDescription`
- > 8% overall wall time spent for simple HTTP request on NSURL initialisation & related things
- Undesired (as in older faster than newer) perf delta between older and newer APIs
- Proxy server implementation example needed HOT 3
- Proxy issue : 407 proxyAuthenticationRequired error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from async-http-client.