Logs

[RickCogley]

Hi - I was thinking about how storing any kind of credentials in a log inadvertently might be an issue when running Salty, but I cannot find any trace of the payloads or keys I've entered, in my own server logs.

Can you please confirm the security situation with regards to storing whatever people might enter in forms or send via an API on a Sendy site?

Thanks in advance, Rick

[newbold]

Good question. What’s ultimately stored depends on the web server being used, its configuration, and the method used to invoke the API (i.e. GET vs. POST). The sample minimal API code that I shared the other day uses $_REQUEST, which means it will accept input via GET or POST methods (the sample usage I shared makes use of GET). GET requests have the payload in the URL (using a query string), which means that most web servers will log that data as part of the request being made. A POST payload is typically not logged, though the tradeoff is that there's a little more overhead in making POST requests (in PHP you'd need to use curl, which isn't terrible, but it's not as simple as the GET method).

If you want to dig into more specifics, just let me know, especially if you’re using Apache (which is the only web server that I really know anything about). I’m also glad to make a sample of how you could use the simple API script provided the other day with the POST method via curl, if you're interested — just say the word!

[RickCogley]

Hi and thanks for the quick response. Yes please, I'd love to use POST to try to increase security.

[newbold]

OK, here’s a sample implementation using POST requests via curl:

<?php

$ch = curl_init();

$action = 'encrypt';
$payload = 'This is a test';
$key = 'secret_key';

curl_setopt($ch, CURLOPT_URL, "https://server/path/to/api.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('action' => $action, 'payload' => $payload, 'key' => $key)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);

curl_close ($ch);

echo $response

?>

In addition to the previous $payload and $key variables, I've also added an $action so you can specify encryption or decryption. This pairs with a slightly updated version of the sample API script, which now looks for that action parameter:

<?php

include('salty.php');

header("Content-type: text/plain");

if(!isset($_REQUEST['payload'])) die('Missing payload parameter.');
if(!isset($_REQUEST['key'])) die('Missing key parameter.');

if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'encrypt') {
    die(salty_encrypt($_REQUEST['payload'], salty_key($_REQUEST['key'])));
}
else if(isset($_REQUEST['action']) && $_REQUEST['action'] == 'decrypt') {
    die(salty_decrypt($_REQUEST['payload'], salty_key($_REQUEST['key'])));
}
else {
    die('Invalid action parameter.');
}

?>

Of course there's no need to use this if you're only interested in encrypting — the previous version of the sample API script will work with the curl usage example above, I think. Let me know if you run into any issues with any of this though.

[RickCogley]

Hi @newbold thanks! Right, our database has a feature called "call url" which lets you pick GET, POST etc, set headers, set the body type and so on. I just had to pick POST, and move the params from the URL into the body as a "form" type. I misunderstood what was needed; I thought I needed to change the lightweight API to accept POST, but it just worked. Sorry for the extra work you did writing out a sample in PHP, but the additional "action" param will be useful at some point!

[newbold]

No worries! Glad everything is working for you. 😄

[RickCogley]

By the way, once you use POST, the apache server log looks like this:

...
222.111.111.222 - - [01/Sep/2021:04:49:16 +0000] "POST /script.php HTTP/1.1" 200 339 "-" "-"
...