Secret Masking

Secret masking allows you to keep sensitive data private. This sensitive data can include information like API keys, authentication tokens, passwords, or other types of critical information. Secret masking obscures the values stored for some data fields, preventing the critical values from being displayed and republished throughout the Lumigo platform.

2674

A field with a value containing the substring "key" was masked with [Hidden Information]

Default Behavior

By default, Lumigo will apply secret masking on data fields that match common regexes like "._pass.", "._key.*", and so on. The full list of regexes matched by default is below:

[".*pass.*",".*key.*",".*secret.*",".*credential.*",".*passphrase.*","SessionToken","x-amz-security-token","Signature","Credential","Authorization"]

Customization

To override the default regular expressions, add the LUMIGO_SECRET_MASKING_REGEX environment variable to your Lambda function’s definition:

KeyValue
LUMIGO_SECRET_MASKING_REGEX["regex1", "regex2",...]

We support more granular masking using the following parameters. If not given, the above configuration is the fallback

KeyValue
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES["regex1", "regex2",...] | "all"
LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS["regex1", "regex2",...] | "all"
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES["regex1", "regex2",...] | "all"
LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS["regex1", "regex2",...] | "all"
LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS["regex1", "regex2",...] | "all"
LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT["regex1", "regex2",...] | "all"

Whitelisting

To unhide KeyConditionExpression and ExclusiveStartKey, add the LUMIGO_WHITELIST_KEYS_REGEXES environment variable to your Lambda function’s definition.

For example: LUMIGO_WHITELIST_KEYS_REGEXES = "['.TableName.', 'KeyConditionExpression']"

KeyValue
LUMIGO_WHITELIST_KEYS_REGEXES["regex1", "regex2",...]

🚧

Notes

  • All the regexes are case-insensitive.
  • To completely disable secret masking default behavior, use an EMPTY list value: LUMIGO_SECRET_MASKING_REGEX = []
  • Lumigo will apply secret masking on http requests, triggered by Lambda, only in case the headers contain 'content-type': 'application/json'

What’s Next

Do you want to block entire domains from showing ?