Closed LasseGravesen closed 3 years ago
The sensible place to start here would be to look at other Python web servers and determine what header filtering they put in place. In particular what does Gunicorn do here? Do they output headers / WGI environ in logs at any point? Do they filter the headers in any particular way?
@tomchristie Gunicorn defines the fields that it logs as follows:
Identifier | Description |
---|---|
h | remote address |
l | '-' |
u | user name |
t | date of the request |
r | status line (e.g. GET / HTTP/1.1) |
m | request method |
U | URL path without query string |
q | query string |
H | protocol |
s | status |
B | response length |
b | response length or '-' (CLF format) |
f | referer |
a | user agent |
T | request time in seconds |
D | request time in microseconds |
L | request time in decimal seconds |
p | process ID |
{header}i | request header |
{header}o | response header |
{variable}e | environment variable |
Use lowercase for header and environment variable names, and put {...}x
names inside %(...)s
. For example: %({x-forwarded-for}i)s
In a log format, like %(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"
.
I would really caution against doing logging like Gunicorn does it, I'm quite happy with the way uvicorn handles it, with the exception of not being able to define headers that should be excluded.
I think this is fixed in https://github.com/encode/uvicorn/pull/859
I had an issue pop up when I updated uvicorn to a newer version, specifically it seems that scope.headers got added to the log output, and there appears to be no way to filter what goes into that log.
Here is an example log:
The problem are headers like
["b'authorization'", "b'Bearer fake-bearer-token'"]
which can give away sensitive information like API Keys or valid Bearer tokens.I would like a feature that gives me the option to exclude specific headers that may include sensitive information that I do not want to be logged. The current way I do this is by creating a custom formatter that drops the scope.headers field entirely.