For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gowenfawr's avatar
gowenfawr
Icon for Nimbostratus rankNimbostratus
Aug 20, 2013

How to mask HTTP Authorization header in ASM logs, similar to sensitive parameters?

The subject pretty much says it all. We use the "Sensitive Parameters" setting described in Chapter 9 of the "Configuration Guide for BIG-IP Application Security Manager" to ensure that passwords an...
ASM Advanced WAF
security
Torti's avatar
Torti
Icon for Cirrus rankCirrus
Aug 21, 2013

Hi,

 

there is no option to do this. A Header is no part of the body and it isn't a "classic http parameter". If you need such an option, you should open a feature request. If it is a problem, because you send the log files to another destination? Perhaps, you could do it there.

 

gowenfawr's avatar
gowenfawr
Icon for Nimbostratus rankNimbostratus
Aug 21, 2013
These logs are not shipped off, they're only available via the F5 ASM log interface. However, obviously there's value in obfuscating sensitive data there - otherwise the option to do it with URI parameters and XML body wouldn't be there. I have two services protected by the ASM today - one passes credentials as XML elements, the other is RESTful and uses HTTP basic authentication. The first is protected, the latter isn't - and while I trust my network admins, they have no need to know our customer's passwords. I will open a feature request - thank you for that suggestion.