scrub

Documentation

Overview

Package scrub defines helpers for removing sensitive data from HTTP headers and URLs to make them safe for logging.

Index

• Variables
• func Header(h http.Header) http.Header
• func URL(u *url.URL) *url.URL

Examples

• Header
• URL

Variables

var (
	RestrictedHeaders = map[string]bool{
		"cookie":                      true,
		"heroku-authorization-token":  true,
		"heroku-two-factor-code":      true,
		"heroku-umbrella-token":       true,
		"http_authorization":          true,
		"http_heroku_two_factor_code": true,
		"http_x_csrf_token":           true,
		"oauth-access-token":          true,
		"omniauth.auth":               true,
		"set-cookie":                  true,
		"x-csrf-token":                true,
		"x_csrf_token":                true,
		"authorization":               true,
	}
)

The list of HTTP header names that will have their contents scrubbed of sensitive data.

var (
	RestrictedParams = map[string]bool{
		"access_token":                                true,
		"api_key":                                     true,
		"authenticity_token":                          true,
		"body.trace_chain.0.extra.cookies":            true,
		"body.trace_chain.0.extra.msg":                true,
		"body.trace_chain.0.extra.session.csrf.token": true,
		"bouncer.refresh_token":                       true,
		"bouncer.token":                               true,
		"confirm_password":                            true,
		"fingerprint":                                 true,
		"heroku_oauth_token":                          true,
		"heroku_session_nonce":                        true,
		"heroku_user_session":                         true,
		"key":                                         true,
		"oauth_token":                                 true,
		"old_secret":                                  true,
		"passwd":                                      true,
		"password":                                    true,
		"password_confirmation":                       true,
		"postgres_session_nonce":                      true,
		"private_key":                                 true,
		"request.cookies":                             true,
		"request.cookies.signup-sso-session":          true,
		"request.params._csrf":                        true,
		"request.session._csrf_token":                 true,
		"request.session.csrf.token":                  true,
		"secret":                                      true,
		"secret_token":                                true,
		"sudo_oauth_token":                            true,
		"super_user_session_secret":                   true,
		"token":                                       true,
		"user_session_secret":                         true,
		"www-sso-session":                             true,
	}
)

The list of URL parameter names that will have their contents scrubbed of sensitive data.

Functions

func Header

func Header(h http.Header) http.Header

Header removes a subset of "sensitive" HTTP headers as used by parts of Heroku's conventions for API design. The output of this function is safe to be logged except in high-security scenarios.

Example

h := http.Header{
	"Authorization": []string{"Basic hunter2"},
}

scrubbed := Header(h)
val := scrubbed.Get("Authorization") // Will be `Basic [SCRUBBED]`
_ = val                              // do something with `val`

func URL

func URL(u *url.URL) *url.URL

URL removes a subset of "sensitive" URL parameters as used by parts of Heroku's conventions for API design. The output of this function is safe to be logged except in high-security scenarios.

Example

u, err := url.Parse("https://google.com?api_key=hunter2")
if err != nil {
	log.Fatal(err)
}

su := URL(u)
log.Println(su.String()) // should be `https://google.com?api_key=[SCRUBBED]`