Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
HttpLogging Middleware option to log all headers
See original GitHub issueBackground and Motivation
By default request/response headers which are not added to the collections of the RequestHeaders and ResponseHeaders properties of the HttpLoggingOptions configuration object are logged with a redacted value.
It would be good to add an option, in scenarios controlled by the developer, to enable the logging of any request or response header.
Examples of scenarios:
- Debugging
- Sensitive data by design of the application never ends up in the headers
- Not predictable headers that must be logged
Proposed API
It can be achieved by allowing new values for the HttpLoggingFields enum. For example:
namespace Microsoft.AspNetCore.HttpLogging;
[Flags]
public enum HttpLoggingFields : long
{
//Existent enum values
None = 0x0,
RequestPath = 0x1,
....
+ RequestHeadersIncludeSensitive = 0x1000,
+ ResponseHeadersIncludeSensitive = 0x2000,
+ RequestPropertiesAndHeadersIncludeSensitive = RequestProperties | RequestHeadersIncludeSensitive,
+ ResponsePropertiesAndHeadersIncludeSensitive = ResponseStatusCode | ResponseHeadersIncludeSensitive,
+ RequestIncludeSensitive = RequestPropertiesAndHeadersIncludeSensitive | RequestBody,
+ ResponseIncludeSensitive = ResponseStatusCode | ResponseHeadersIncludeSensitive | ResponseBody,
+ AllIncludeSensitive = RequestIncludeSensitive | ResponseIncludeSensitive
....
All = Request | Response
}
Usage Examples
The developer can opt-in for the new beahvior:
using Microsoft.AspNetCore.HttpLogging;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddHttpLogging(logging =>
{
logging.LoggingFields = HttpLoggingFields.AllIncludeSensitive; //Usage of one of the new enum values
});
var app = builder.Build();
app.UseHttpLogging();
app.Run();
This configuration will log all the request/response headers without the redacted value.
Risks
It doesn’t affect nor change the current API behavior since the developer must explicitly configure the logging with one of the new values in order to enable the logging for all the headers.
Implementation
The following commit shows how could look like the implementation: https://github.com/liguori/aspnetcore/commit/9f35fa91fdea4404f5028789dbf239edc8d2fc8a
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:7 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
There are context in which headers are not predictable because dynamics. I am thinking about “X-” prefixed header that can arrive on the application depending on any intermediate infrastructural objects or cases in which you would like to log “abusive user/client behavior” that can inject every kind of “garbage” headers and it must be logged for auditing purpose.
In order to be still secure, when those new Enum values are set, it could be added an excluson list of well-known standard headers (from HTTP specs) in some new properties RequestExcluedHeaders and ResponseExcluedHeaders of the HttpLoggingOptions configuration object and initialized by default from the framework (i.e. Authentication, Cookie , etc), still giving the user choice to remove it.
The point is to be secure by design because default framework initialization but give the user (developer) the choice.
Another consideration is that the most of the PII or sensitive data is in the body and once you decide to enable logging with HttpLoggingFields.All or HttpLoggingFields.RequestBody (current possible configuration), you are logging everything.
Thank you @Tratcher for pointing to the #33346, your suggestion about expose a boolean switch would fit the example scenarios that I have mentioned in the first message and that I would like to be covered (not only debugging).
I agree with @blowdart as well about the responsibility of security decisions of the ASP.NET team but I think that currently are already shipped with the logging middleware options for log information that could be potentially more sensitive than what we could find in all the headers (except some few exceptions similar to the one I have mentioned) like the Body that if we think about Rest API could expose all the possible data of this world.
@adityamandaleeka it is fine to close this issues I will follow the #39200 although I cannot figure out which selector could be used in order to enable in future the logging of ALL the headers (with the possibility to exclude someone like Authorization, Cookie, etc).