Unable to mask sensitive information in Request query params in Spring boot tomcat embedded access.log

[dineshv1234567]

Problem Unable to mask sensitive information in Request query params in Spring boot tomcat embedded access.log

Details I created Spring boot application with default tomcat server. Reference: https://spring.io/blog/2014/03/07/deploying-spring-boot-applications Now, when I enable tomcat access logs using application.properties as follows:

server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.pattern='%h %l %u %t "%r" %s %b %D %F'
server.tomcat.accesslog.prefix=access
server.tomcat.accesslog.directory=/test/logs
server.tomcat.accesslog.suffix=.log

I can see the whole request with all query params passed, like this: '0:0:0:0:0:0:0:1 - - [21/Aug/2023:14:01:53 +0530] "GET /hello/World?queryTest=[email protected] HTTP/1.1" 200 13 20 19'

I tried different ways to mask the query params, that is email in above case, in access.log file, but nothing worked.

Version used spring-boot-starter-parent: 2.6.6

[corneil]

@dineshv1234567 You should not have sensitive data in request parameters. The request parameters form part of the url and will be logged by web servers. The known sensitive headers and the body is not logged.