Keep Your Data Protected

Configure Data Sanitization

To keep your application safe and prevent sensitive data leaks, we recommend that you sanitize your data before sending it to Bearer.

Data is only sent to Bearer when the Full Logging and Full Logging for Errors settings are enabled for an API.

By default, data sanitization is enabled and we suggest keeping it enabled. Bearer sanitizes data in headers, query parameters, and request/response bodies based on the following rules automatically. The default sanitization values are set as follows:

  • Values for keys that match the following regular expressions:

    • ^authorization$

    • ^password$

    • ^secret$

    • ^passwd$

    • ^api.?key$

    • ^access.?token$

    • ^auth.?token$

    • ^credentials$

    • ^mysql_pwd$

    • ^stripetoken$

    • ^card.?number.?$

    • ^secret$

    • ^client.?id$

    • ^client.?secret

  • Any values matching the following regular expressions (case insensitive):

    • [a-zA-Z0-9]{1}[a-zA-Z0-9.!#$%&’*+=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*

    • (?:\\d[ -]*?){13,16}

This default configuration prevents most of your API credentials from being sent to Bearer. If you wish to customize the sanitization rules, you can do so. The best way to do it is to use the Agent's configuration options when you first initialize the agent.

Example:

Bearer.init_config do |config|
# ...
config.strip_sensitive_keys = [/^authorization$/i, /^client.id$/i, /^access.token$/i, /^client.secret$/i]
config.strip_sensitive_regex = %r{[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*}
end

Changing sanitization settings will override the default rules.

Sanitization options

  • strip_sensitive_data - Globally enable/disable data sanitization (default: true). If you set this to false, no sanitization will take place and all the data will be sent to Bearer unfiltered.

  • strip_sensitive_keys - A regular expression pattern that will be applied to values that match specific keys in headers, query parameters, or the body. If you specify /^authorization$/ the following sanitization actions would take place:

    • In headers: the value of the "authorization" header will be sanitized and be sent to Bearer as authorization: [FILTERED].

    • In query string parameters: the value of the "authorization" query parameter will be sanitized. In the Bearer dashboard your URL will look like: http://www.example.com/endpoint?authorization=[FILTERED].

    • In the body: any value of an "authorization" key in the payload will be replaced with [FILTERED] . For example, { "name": "John", "authorization": "granted" } will be sent to the Bearer dashboard as { "name": "John", "authorization": "[FILTERED]" }. This rule only applies to payloads with a Content-Type header set to application/json.

  • strip_sensitive_regex - A regular expression pattern that will be used to sanitize any value in headers, query string parameters, or the body. Bearer will check all the values sent in the request or response and will replace matching patterns with [FILTERED].