Secret Masking / Data Scrubbing
Secret masking allows you to keep sensitive data private. This sensitive data can include information like API keys, authentication tokens, passwords, or other types of critical information. Secret masking obscures the values stored for some data fields, preventing sensitive data from being processed and displayed by Lumigo.
When a key matches a prespecified regex or exact path, the value will be masked by Lumigo
Default Behavior
By default, Lumigo will apply secret masking on fields where the key matches common regexes like "._pass.", "._key.*", and so on. The full list of regexes matched by default is below:
[".*pass.*",".*key.*",".*secret.*",".*credential.*",".*passphrase.*","SessionToken","x-amz-security-token","Signature","Credential","Authorization"]Customization
To override the default regular expressions, add the LUMIGO_SECRET_MASKING_REGEX environment variable to your Lambda function’s definition:
| Key | Value |
|---|---|
| LUMIGO_SECRET_MASKING_REGEX | '["regex1", "regex2",...]' |
We support more granular masking using the following parameters. If not given, the above configuration is the fallback
| Key | Value |
|---|---|
| LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_BODIES | '["regex1", "regex2",...]' | 'all' |
| LUMIGO_SECRET_MASKING_REGEX_HTTP_REQUEST_HEADERS | '["regex1", "regex2",...]' | 'all' |
| LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_BODIES | '["regex1", "regex2",...]' | 'all' |
| LUMIGO_SECRET_MASKING_REGEX_HTTP_RESPONSE_HEADERS | '["regex1", "regex2",...]' | 'all' |
| LUMIGO_SECRET_MASKING_REGEX_HTTP_QUERY_PARAMS | '["regex1", "regex2",...]' | 'all' |
| LUMIGO_SECRET_MASKING_REGEX_ENVIRONMENT | '["regex1", "regex2",...]' | 'all' |
We support the masking of exact paths, specifically in order to support masking of specific fields in nested JSON objects:
| Key | Value |
|---|---|
| LUMIGO_SECRET_MASKING_EXACT_PATH | '["key1.key2", "key3.key4"]' |
Whitelisting
To unhide KeyConditionExpression and ExclusiveStartKey, add the LUMIGO_WHITELIST_KEYS_REGEXES environment variable to your Lambda function’s definition.
For example: LUMIGO_WHITELIST_KEYS_REGEXES = '[".TableName.", "KeyConditionExpression"]'
| Key | Value |
|---|---|
| LUMIGO_WHITELIST_KEYS_REGEXES | '["regex1", "regex2",...]' |
Notes
- All the regexes are case-insensitive.
- To completely disable secret masking default behavior, use an EMPTY list value:
LUMIGO_SECRET_MASKING_REGEX = []- Lumigo will apply secret masking on http requests, triggered by Lambda, only in case the headers contain 'content-type': 'application/json'
- Please ensure that the values of environment variables are strings enclosed with ".
Additionally, the list of values inside the [] should be enclose with '.
Correct example:'[".*TableName*.", "KeyConditionExpression"]'
Incorrect example:"['.*TableName*.', 'KeyConditionExpression']"
Updated 3 months ago
Do you want to block entire domains from showing ?