I have a server application, and for security reasons I'm trying to prevent
requests, which provide 'username' and 'password' as query parameters, from
being logged (providing these parameters as query parameters is a user
mistake, but still...)
I've tried this way:
* SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
CustomLog logs/my_log common env=!dontlog*
But the unwanted requests were still being printed to the log. I wanted to
verify that *QUERY_STRING *contains what I expected it to, so I tried to
print it out:
* CustomLog logs/my_log "%{QUERY_STRING}e"*
But no matter what request was made, only '-' was printed to the log. I've
done the same for other server variables, e.g: REQUEST_URI, THE_REQUEST,
etc - and all were empty (or rather only contained the '-' character.
What am I missing?
Thanks!
