File tree 1 file changed +33
-0
lines changed
1 file changed +33
-0
lines changed Original file line number Diff line number Diff line change @@ -31,3 +31,36 @@ This option affects the following HTTP headers across all requests:
3131- ` Cookie` header on the request
3232- ` Set-Cookie` header on the response
3333- ` Authorization` header on the response
34+
35+ The following values are allowed :
36+
37+ - ` redact` will redact the auth credential completely (default).
38+ - ` hash` will replace the value with a SHA256 hash of the original value (see below).
39+ - ` keep` will trace the full auth credential string in cleartext (NOT recommended).
40+
41+ # # Using `authCredential: "hash"`
42+
43+ The `authCredential : " hash" ` allows you to cross-match credentials across
44+ different requests safely without storing raw auth credentials in cleartext.
45+ For example, let's say a client makes an API call with following request
46+ header:
47+
48+
49+ ` ` `
50+ Authorization : Bearer my-secret-api-key-1234
51+ ` ` `
52+
53+ Setting ` authCredential: "hash"` will hash the value when the request is traced:
54+
55+ ```
56+ Authorization: <redacted:sha256:a4281572876fbe0eb4780386c435bd8be7bc36136a98e90a68a0af3837f27483>
57+ ```
58+
59+ Two requests using the same `Authorization` header will have the same redacted
60+ hash. If you know the original API key, you can also compute the hash yourself
61+ using the `sha256sum` command:
62+
63+ ```
64+ $ echo -n " Bearer my-secret-api-key-1234" | sha256sum
65+ a4281572876fbe0eb4780386c435bd8be7bc36136a98e90a68a0af3837f27483 -
66+ ```
You can’t perform that action at this time.
0 commit comments