Question 414328 in Azure Question posted in
The official documentation to get you started can be found here.

Prevent cookie being logged to azure web app linux HTTP logs

I am running a NodeJS application, hosted in a Linux Azure Web App. I have set up diagnostic logs for HTTP Logs to be forwarded to a Log Analytics Workspace and having looked at the logs I can see there’s cookies included by default.

I would ideally like to control which cookies are included in the HTTP logs or prevent cookies being logged at all. I haven’t found any documentation on configuring the HTTP logs, and the diagnostic setting is just on or off for that log category.

Is there anything I can do to control the HTTP log content? Thanks

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    It seems it is not possible to configure the HTTP Logs diagnostic configuration. The accepted answer has some useful considerations but in my use case the processing via event hubs and functions was not an option.


  2. 0

    I would ideally like to control which cookies are included in the HTTP logs or prevent cookies being logged at all.

    Azure App Service diagnostic logging doesn’t currently allow direct control over which headers or cookies appear in HTTP logs.

    • Azure’s HTTP logs automatically record all incoming headers, including cookies, without any way to mask or exclude specific values, which can result in sensitive cookie data being stored in the logs.

    At the application level, we can add middleware in our Node.js app to intercept and mask sensitive cookies before they get logged.

    I’ve added middleware to the code that checks each cookie in the request and replaces sensitive cookie values with [FILTERED].

    app.use((req, res, next) => {
    console.log("Middleware is running");  

    if (req.headers.cookie) {
      
        const maskedCookies = req.headers.cookie.split(';').map(cookie => {
            const [name, value] = cookie.split('=');
            if (sensitiveCookies.includes(name.trim())) {
                return `${name}=[FILTERED]`;
            }
            return cookie;
        });
       
        req.headers.cookie = maskedCookies.join('; ');

        console.log("Masked Cookies:", req.headers.cookie);

    Complete app.js code:

    const express = require('express');
const app = express();

const sensitiveCookies = ["SensitiveCookie", "AnotherCookie"];

app.use((req, res, next) => {
    console.log("Middleware is running");  

    if (req.headers.cookie) {
        
        const maskedCookies = req.headers.cookie.split(';').map(cookie => {
            const [name, value] = cookie.split('=');
            if (sensitiveCookies.includes(name.trim())) {
                return `${name}=[FILTERED]`;
            }
            return cookie;
        });
        
        req.headers.cookie = maskedCookies.join('; ');

       
        console.log("Masked Cookies:", req.headers.cookie);
    } else {
        console.log("No cookies in request"); 
    }
    next();
});

app.get('/', (req, res) => {
    res.send("Hello, your app is running!");
});
const port = process.env.PORT || 3000;
app.listen(port, () => {
    console.log(`Server is running on port ${port}`);
});

    This approach ensures that sensitive cookie values are not exposed.

    Local output:

    enter image description here

    enter image description here

    Output after deployment:

    enter image description here

    enter image description here

    Other Alternative approaches for masking sensitive data :

    • Forward Logs to Azure Event Hubs
      • You can configure Azure to send logs to an intermediary service, like Event Hubs or Log Analytics, where a custom pipeline or Azure Function can mask sensitive information before final storage. refer this doc1, doc2 for better understanding.
    • Use Application Insights Telemetry Processor
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search