ericloyd
commented
4 months ago Tokens in plaintext in log files is never a good idea. If a debug level option is putting them in there, then they should be obfuscated.
Closed timcanty closed 4 months ago
ericloyd
commented
4 months ago Tokens in plaintext in log files is never a good idea. If a debug level option is putting them in there, then they should be obfuscated.
sawolf
commented
4 months ago Hi @timcanty - thanks for the heads up. I don't think this was intended or a "feature" on our part, and I agree that this should be addressed for next release.
ne-bbahn
commented
4 months ago It looks like these logs originate from the WSGIServer. I'll see if I can add a filter on the log to redact any information relating to tokens.
timcanty
commented
4 months ago Thanks for working on this so promptly
Hi just noticed on our ubuntu instances running NCPA v3 that upgraded from v2 that when checking the service status such as "sudo systemctl status ncpa" it will output the last few requests against the service, so includes the token which i feel isn't great from a security point of view.
Is this us having the wrong logging level enabled to cause this, or a "feature" of the new version, as pretty certian this wasn't the case on v2.
if there is a way to mask or remove this from the logging i feel would be better.