Closed rectalogic closed 2 years ago
hvital
commented
5 years ago Hi @rectalogic
Good point! Is there a general redact rule that should be applied by default or should we add this as CloudFormation stack input parameters (or should we just highlight those references on the documentation)? What do you think?
Many thanks!
rectalogic
commented
5 years ago I think it should be an input parameter, and probably default to redacting the cookie header (since that is often sensitive, authorization cookie etc.)
It's configured as a list of field types and data values, so maybe the stack parameter could be cloudformation CommaDelimitedList of type=value items like HEADER=Cookie,SINGLE_QUERY_ARG=UserName etc.
deolank
commented
4 years ago Thanks for your feedback. We have added this request to our feature backlog.
don-code
commented
3 years ago In the event this is prioritized, the Authorization header is another good candidate for defaulting to add.
aijunpeng
commented
3 years ago Thanks for the comments. After careful evaluation of the request, we would like to leave this to customers to set it up based on their specific needs instead of including it in the WAF solution.
References: https://docs.aws.amazon.com/waf/latest/developerguide/logging.html https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html
The WAF log parsers enable WAF logging. https://github.com/awslabs/aws-waf-security-automations/blob/master/source/custom-resource/custom-resource.py#L396
This logs sensitive details about the request such as the cookie. Allow configuration of WAF log redaction via
RedactedFields: https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_LoggingConfiguration.html