marek-obuchowicz opened a new issue, #13452: URL: https://github.com/apache/apisix/issues/13452
### Description As a apisix user, I have enabled loki-logger (without overriding `log_format`) and I have quickly noticed, that all headers are being logged - including `request_headers_authorization`, `request_headers_x_userinfo`,`request_headers_x_access_token`. According to very common security practices, such data should not be logged. While we have possibility to override what's being logged via `log_format` - I would expect *defaults* to follow security practices. In ideal scenario, we should introduce a parameter to the plugin configuration, which contains list of HTTP headers to be dropped, and it should by default include `Authorization`, `X-Userinfo`, `X-Access-Token` fields. This could possibly apply to other logger plugins, too. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
