I am working on a general “architecture” related to the logging and security of web applications. As far as I know, it is considered best practice to record all the request / response data (not only access logs, but also the request / response body). This is good for security analysis, debugging purposes, auditing, and more.
There is a problem that confidential information is transmitted in some requests, for example, passwords and / or credit card information.
(Please note: of course, I use HTTPS, but passwords and / or credit card data will appear as plain text in logs or log files. And by the way, I do not store credit card data, because I and not PCI DSS, we transfer this data to our partner, which is compatible with PCI DSS).
Currently, I register and save external access logs (therefore, logs without request / response bodies, but with GET parameter data), and I register request / response body data in the application code (so that I can decide what data goes for registration and delete confidential data before logging).
However, I am going to implement logging (of request / response bodies) outside the application, say, at the server level through some module (for example, mod_dumpio or something like that), but in this case registering confidential information can be a big problem.
How do I implement / configure it?
source
share