Closed timcanty closed 4 months ago
Tokens in plaintext in log files is never a good idea. If a debug level option is putting them in there, then they should be obfuscated.
Hi @timcanty - thanks for the heads up. I don't think this was intended or a "feature" on our part, and I agree that this should be addressed for next release.
It looks like these logs originate from the WSGIServer. I'll see if I can add a filter on the log to redact any information relating to tokens.
Thanks for working on this so promptly
Hi just noticed on our ubuntu instances running NCPA v3 that upgraded from v2 that when checking the service status such as "sudo systemctl status ncpa" it will output the last few requests against the service, so includes the token which i feel isn't great from a security point of view.
Is this us having the wrong logging level enabled to cause this, or a "feature" of the new version, as pretty certian this wasn't the case on v2.
if there is a way to mask or remove this from the logging i feel would be better.