Prevent cookie being logged to azure web app linux HTTP logs

likeaninja
November 8, 2024
173 views
0 votes
2 Answers

I am running a NodeJS application, hosted in a Linux Azure Web App. I have set up diagnostic logs for HTTP Logs to be forwarded to a Log Analytics Workspace and having looked at the logs I can see there’s cookies included by default.

I would ideally like to control which cookies are included in the HTTP logs or prevent cookies being logged at all. I haven’t found any documentation on configuring the HTTP logs, and the diagnostic setting is just on or off for that log category.

Is there anything I can do to control the HTTP log content? Thanks

Answers

Chosen as BEST ANSWER
- likeaninja
- November 8, 2024 at 4:35 pm
- 0 votes
0
It seems it is not possible to configure the HTTP Logs diagnostic configuration. The accepted answer has some useful considerations but in my use case the processing via event hubs and functions was not an option.

(Edit)

- SirraSneha
- November 8, 2024 at 8:49 am
- 0 votes
0
I would ideally like to control which cookies are included in the HTTP logs or prevent cookies being logged at all.

Azure App Service diagnostic logging doesn’t currently allow direct control over which headers or cookies appear in HTTP logs.
- Azure’s HTTP logs automatically record all incoming headers, including cookies, without any way to mask or exclude specific values, which can result in sensitive cookie data being stored in the logs.
At the application level, we can add middleware in our Node.js app to intercept and mask sensitive cookies before they get logged.

I’ve added middleware to the code that checks each cookie in the request and replaces sensitive cookie values with [FILTERED].
```
app.use((req, res, next) => {
    console.log("Middleware is running");  

    if (req.headers.cookie) {
      
        const maskedCookies = req.headers.cookie.split(';').map(cookie => {
            const [name, value] = cookie.split('=');
            if (sensitiveCookies.includes(name.trim())) {
                return `${name}=[FILTERED]`;
            }
            return cookie;
        });
       
        req.headers.cookie = maskedCookies.join('; ');

        console.log("Masked Cookies:", req.headers.cookie);
```
Complete app.js code:
```
const express = require('express');
const app = express();

const sensitiveCookies = ["SensitiveCookie", "AnotherCookie"];

app.use((req, res, next) => {
    console.log("Middleware is running");  

    if (req.headers.cookie) {
        
        const maskedCookies = req.headers.cookie.split(';').map(cookie => {
            const [name, value] = cookie.split('=');
            if (sensitiveCookies.includes(name.trim())) {
                return `${name}=[FILTERED]`;
            }
            return cookie;
        });
        
        req.headers.cookie = maskedCookies.join('; ');

       
        console.log("Masked Cookies:", req.headers.cookie);
    } else {
        console.log("No cookies in request"); 
    }
    next();
});

app.get('/', (req, res) => {
    res.send("Hello, your app is running!");
});
const port = process.env.PORT || 3000;
app.listen(port, () => {
    console.log(`Server is running on port ${port}`);
});
```
This approach ensures that sensitive cookie values are not exposed.

Local output:

Output after deployment:

Other Alternative approaches for masking sensitive data :
- Forward Logs to Azure Event Hubs
  - You can configure Azure to send logs to an intermediary service, like Event Hubs or Log Analytics, where a custom pipeline or Azure Function can mask sensitive information before final storage. refer this doc1, doc2 for better understanding.
- Use Application Insights Telemetry Processor
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.