DataDog / browser-sdk

Datadog Browser SDK
Apache License 2.0
305 stars 135 forks source link

Automatic metadata scrubbing #823

Open Math3v opened 3 years ago

Math3v commented 3 years ago

There's currently no automatic/manual way to instruct the SDK to scrub potentially sensitive properties.

import { datadogLogs } from '@datadog/browser-logs'

datadogLogs.logger.info('Button clicked', { name: 'buttonName', id: 123, password: 'myPlainTextPassword' })

Would it be possible to add a configuration or do it even automatically similar to e.g. Rollbar?

https://docs.rollbar.com/docs/rollbarjs-configuration-reference

Default scrubbed fields for servers: ["pw", "pass", "passwd", "password", "password_confirmation", "passwordConfirmation", "confirm_password", "confirmPassword", "secret", "secret_token", "secretToken", "secret_key", "secretKey", "api_key", "access_token", "accessToken", "authenticity_token", "oauth_token", "token", "user_session_secret", "request.session.csrf", "request.session._csrf", "request.params._csrf", "request.cookie", "request.cookies"]

Default scrubbed fields for browsers: ["pw", "pass", "passwd", "password", "secret", "confirm_password", "confirmPassword", "password_confirmation", "passwordConfirmation", "access_token", "accessToken", "secret_key", "secretKey", "secretToken", "cc-number", "card number", "cardnumber", "cardnum", "ccnum", "ccnumber", "cc num", "creditcardnumber", "credit card number", "newcreditcardnumber", "new credit card", "creditcardno", "credit card no", "card#", "card #", "cc-csc", "cvc2", "cvv2", "ccv2", "security code", "card verification", "name on credit card", "name on card", "nameoncard", "cardholder", "card holder", "name des karteninhabers", "card type", "cardtype", "cc type", "cctype", "payment type", "expiration date", "expirationdate", "expdate", "cc-exp"]

This could be extended to the existing scrubbable properties as well: https://docs.datadoghq.com/real_user_monitoring/browser/advanced_configuration/?tab=npm#scrub-sensitive-data-from-your-rum-data so that emails, passwords, tokens will be automatically scrubbed from urls, error stacks, etc.

bcaudan commented 3 years ago

Hello @Math3v,

You could use beforeSend to manually scrub sensitive data from fields collected by the SDK. No plans for now for automatic scrubbing.