{"componentChunkName":"component---src-templates-tag-js","path":"/tags/data-masking/","result":{"data":{"site":{"siteMetadata":{"title":"LoginRadius Blog"}},"allMarkdownRemark":{"totalCount":1,"edges":[{"node":{"fields":{"slug":"/engineering/user-privacy-data-masking-in-nginx-logs/"},"html":"<p>There are several Consumer/User data protection regulations in place to protect customer data and privacy. With data protection act like the California Consumer Privacy Act (CCPA) and the European Union's GDPR improving awareness of privacy rights, many data-driven businesses have sought to determine which of their applications contain sensitive data, where the sensitive data goes, and why data is going. As a result, they are re-evaluating their data protection controls for employee and consumer data.</p>\n<p> Your program must record vast volumes of data to meet business requirements. It's likely that the application log data contains highly sensitive information. Email addresses, URL parameters such as tokens, credit card data, jobs data, Login Credentials, and Official ID Numbers (passport numbers, driver's license numbers, social security numbers), and authentication tokens may be included in specific log messages. It is important to mask sensitive details such as authentication tokens or credit card info while logging.</p>\n<p> A few years ago, Twitter requested users to reset their passwords. According to <a href=\"https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html\">Twitter's release</a>, passwords were written in the logs without masking, allowing those with access to the logs to see the password. In most startups or small businesses, all staff members have access to all tools, so masking confidential data is critical. Most log management tools allow you to mask any information until it is saved in the logs. Most of the log monitoring tools provide the feature for masking any information before it will save in the logs.</p>\n<h3 id=\"masking-sensitive-data-in-nginx-logs\" style=\"position:relative;\"><a href=\"#masking-sensitive-data-in-nginx-logs\" aria-label=\"masking sensitive data in nginx logs permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Masking Sensitive Data in Nginx Logs</h3>\n<p> By default, Nginx logs predefined format is combined. As you know, we can overwrite access log formatting as per the requirement. The NGINX JavaScript plugin can be used to enforce data masking in NGINX logs. This module is a kind of JavaScript implementation for NGINX and NGINX Plus that is intended for server-side use cases and per-request processing. When each request is logged, we run a small amount of JavaScript code to masking the sensitive data.</p>\n<h3 id=\"instructions-for-enabling-the-nginx-javascript-module\" style=\"position:relative;\"><a href=\"#instructions-for-enabling-the-nginx-javascript-module\" aria-label=\"instructions for enabling the nginx javascript module permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Instructions for enabling the NGINX JavaScript module</h3>\n<p> The NGINX JavaScript module is by default included in the official NGINX Docker image. if your installed version is 1.9.11 or later, then you can install NGINX JavaScript as a prebuilt package for your platform</p>\n<ol>\n<li>\n<p>Install the prebuilt package.</p>\n<p>Ubuntu and Debian systems</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"javascript\" data-index=\"0\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk12\">$</span><span class=\"mtk1\"> </span><span class=\"mtk12\">sudo</span><span class=\"mtk1\"> </span><span class=\"mtk12\">apt</span><span class=\"mtk1\">-</span><span class=\"mtk12\">get</span><span class=\"mtk1\"> </span><span class=\"mtk12\">install</span><span class=\"mtk1\"> </span><span class=\"mtk12\">nginx</span><span class=\"mtk1\">-</span><span class=\"mtk10\">module</span><span class=\"mtk1\">-</span><span class=\"mtk12\">njs</span></span></code></pre>\n<p>RedHat, CentOS, and Oracle Linux systems</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"javascript\" data-index=\"1\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk12\">$</span><span class=\"mtk1\"> </span><span class=\"mtk12\">sudo</span><span class=\"mtk1\"> </span><span class=\"mtk12\">yum</span><span class=\"mtk1\"> </span><span class=\"mtk12\">install</span><span class=\"mtk1\"> </span><span class=\"mtk12\">nginx</span><span class=\"mtk1\">-</span><span class=\"mtk10\">module</span><span class=\"mtk1\">-</span><span class=\"mtk12\">njs</span></span></code></pre>\n</li>\n<li>\n<p>Enable the module by adding a load module directive in the nginx.conf</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"javascript\" data-index=\"2\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk12\">load_module</span><span class=\"mtk1\"> </span><span class=\"mtk12\">modules</span><span class=\"mtk1\">/</span><span class=\"mtk12\">ngx_http_js_module</span><span class=\"mtk1\">.</span><span class=\"mtk12\">so</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk12\">load_module</span><span class=\"mtk1\"> </span><span class=\"mtk12\">modules</span><span class=\"mtk1\">/</span><span class=\"mtk12\">ngx_stream_js_module</span><span class=\"mtk1\">.</span><span class=\"mtk12\">so</span><span class=\"mtk1\">;</span></span></code></pre>\n</li>\n<li>\n<p>Reload NGINX service</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"javascript\" data-index=\"3\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">    </span><span class=\"mtk12\">sudo</span><span class=\"mtk1\"> </span><span class=\"mtk12\">nginx</span><span class=\"mtk1\"> -</span><span class=\"mtk12\">s</span><span class=\"mtk1\"> </span><span class=\"mtk12\">reload</span></span></code></pre>\n</li>\n</ol>\n<h3 id=\"how-to-mask-query-string-in-nginx-and-nginx-plus\" style=\"position:relative;\"><a href=\"#how-to-mask-query-string-in-nginx-and-nginx-plus\" aria-label=\"how to mask query string in nginx and nginx plus permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>How to mask Query String in NGINX and NGINX Plus</h3>\n<p> An application can be passed some potentially confidential information as query string parameters like tokens, public key, etc., this information logged as part of the request URI. If your program sends personal information in this manner, you can use the NGINX JavaScript module for masking customer/user personal information in the query string.</p>\n<ol>\n<li>\n<p>Create a new file <code>maskQueryString.js</code></p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"javascript\" data-index=\"4\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk12\">vi</span><span class=\"mtk1\"> </span><span class=\"mtk12\">maskQueryString</span><span class=\"mtk1\">.</span><span class=\"mtk12\">js</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk4\">function</span><span class=\"mtk1\"> </span><span class=\"mtk11\">fnv32a</span><span class=\"mtk1\">(</span><span class=\"mtk12\">str</span><span class=\"mtk1\">) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk4\">var</span><span class=\"mtk1\"> </span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> = </span><span class=\"mtk7\">2166136261</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">       </span><span class=\"mtk15\">for</span><span class=\"mtk1\"> (</span><span class=\"mtk4\">var</span><span class=\"mtk1\"> </span><span class=\"mtk12\">i</span><span class=\"mtk1\"> = </span><span class=\"mtk7\">0</span><span class=\"mtk1\">; </span><span class=\"mtk12\">i</span><span class=\"mtk1\"> &lt; </span><span class=\"mtk12\">str</span><span class=\"mtk1\">.</span><span class=\"mtk12\">length</span><span class=\"mtk1\">; ++</span><span class=\"mtk12\">i</span><span class=\"mtk1\"> ) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">           </span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> ^= </span><span class=\"mtk12\">str</span><span class=\"mtk1\">.</span><span class=\"mtk11\">charCodeAt</span><span class=\"mtk1\">(</span><span class=\"mtk12\">i</span><span class=\"mtk1\">);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">           </span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> += (</span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> &lt;&lt; </span><span class=\"mtk7\">1</span><span class=\"mtk1\">) + (</span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> &lt;&lt; </span><span class=\"mtk7\">4</span><span class=\"mtk1\">) + (</span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> &lt;&lt; </span><span class=\"mtk7\">7</span><span class=\"mtk1\">) + (</span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> &lt;&lt; </span><span class=\"mtk7\">8</span><span class=\"mtk1\">) + (</span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> &lt;&lt; </span><span class=\"mtk7\">24</span><span class=\"mtk1\">);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">       }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">       </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk12\">hval</span><span class=\"mtk1\"> &gt;&gt;&gt; </span><span class=\"mtk7\">0</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   }</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk4\">function</span><span class=\"mtk1\"> </span><span class=\"mtk11\">maskQueryStringParameters</span><span class=\"mtk1\">(</span><span class=\"mtk12\">req</span><span class=\"mtk1\">) {</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk4\">var</span><span class=\"mtk1\"> </span><span class=\"mtk12\">query_string</span><span class=\"mtk1\"> = </span><span class=\"mtk12\">req</span><span class=\"mtk1\">.</span><span class=\"mtk12\">variables</span><span class=\"mtk1\">.</span><span class=\"mtk12\">query_string</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (</span><span class=\"mtk12\">query_string</span><span class=\"mtk1\">.</span><span class=\"mtk12\">length</span><span class=\"mtk1\">) {                     </span><span class=\"mtk3\">// Proceed if we have query string</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">       </span><span class=\"mtk4\">var</span><span class=\"mtk1\"> </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\"> = </span><span class=\"mtk12\">query_string</span><span class=\"mtk1\">.</span><span class=\"mtk11\">split</span><span class=\"mtk1\">(</span><span class=\"mtk8\">&#39;&&#39;</span><span class=\"mtk1\">);     </span><span class=\"mtk3\">// Convert to array of key=value</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">           </span><span class=\"mtk15\">for</span><span class=\"mtk1\"> (</span><span class=\"mtk4\">var</span><span class=\"mtk1\"> </span><span class=\"mtk12\">i</span><span class=\"mtk1\"> = </span><span class=\"mtk7\">0</span><span class=\"mtk1\">; </span><span class=\"mtk12\">i</span><span class=\"mtk1\"> &lt; </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">.</span><span class=\"mtk12\">length</span><span class=\"mtk1\">; </span><span class=\"mtk12\">i</span><span class=\"mtk1\">++) { </span><span class=\"mtk3\">// Iterate through each Key Value pairs pair</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk4\">var</span><span class=\"mtk1\"> </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\"> = </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk12\">i</span><span class=\"mtk1\">].</span><span class=\"mtk11\">split</span><span class=\"mtk1\">(</span><span class=\"mtk8\">&#39;=&#39;</span><span class=\"mtk1\">);    </span><span class=\"mtk3\">// Split Key Value pair into new array</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (</span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk7\">0</span><span class=\"mtk1\">] == </span><span class=\"mtk8\">&quot;token&quot;</span><span class=\"mtk1\">) {              </span><span class=\"mtk3\">// Mask token query paramter</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk3\">// Use first 5 digits of masked value</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk12\">kvpairs</span><span class=\"mtk1\">[</span><span class=\"mtk12\">i</span><span class=\"mtk1\">] = </span><span class=\"mtk12\">kvpair</span><span class=\"mtk1\">[</span><span class=\"mtk7\">0</span><span class=\"mtk1\">] + </span><span class=\"mtk8\">&quot;=&quot;</span><span class=\"mtk1\"> + </span><span class=\"mtk11\">fnv32a</span><span class=\"mtk1\">(</span><span class=\"mtk12\">kvpair</span><span class=\"mtk1\">[</span><span class=\"mtk7\">1</span><span class=\"mtk1\">]).</span><span class=\"mtk11\">toString</span><span class=\"mtk1\">().</span><span class=\"mtk11\">substr</span><span class=\"mtk1\">(</span><span class=\"mtk7\">5</span><span class=\"mtk1\">);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               } </span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk12\">ekse</span><span class=\"mtk1\"> </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (</span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk7\">0</span><span class=\"mtk1\">] == </span><span class=\"mtk8\">&quot;accountno&quot;</span><span class=\"mtk1\">) {              </span><span class=\"mtk3\">// Mask account no</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk3\">// Use first 7 digits of masked value</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk12\">i</span><span class=\"mtk1\">] = </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk7\">0</span><span class=\"mtk1\">] + </span><span class=\"mtk8\">&quot;=&quot;</span><span class=\"mtk1\"> + </span><span class=\"mtk11\">fnv32a</span><span class=\"mtk1\">(</span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk7\">1</span><span class=\"mtk1\">]).</span><span class=\"mtk11\">toString</span><span class=\"mtk1\">().</span><span class=\"mtk11\">substr</span><span class=\"mtk1\">(</span><span class=\"mtk7\">0</span><span class=\"mtk1\">,</span><span class=\"mtk7\">7</span><span class=\"mtk1\">);</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               } </span><span class=\"mtk15\">else</span><span class=\"mtk1\"> </span><span class=\"mtk15\">if</span><span class=\"mtk1\"> (</span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk7\">0</span><span class=\"mtk1\">] == </span><span class=\"mtk8\">&quot;email&quot;</span><span class=\"mtk1\">) {     </span><span class=\"mtk3\">// Mask email</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk3\">// Use hash as prefix for a single domain</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">               </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk12\">i</span><span class=\"mtk1\">] = </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk7\">0</span><span class=\"mtk1\">] + </span><span class=\"mtk8\">&quot;=&quot;</span><span class=\"mtk1\"> + </span><span class=\"mtk11\">fnv32a</span><span class=\"mtk1\">(</span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">[</span><span class=\"mtk7\">1</span><span class=\"mtk1\">]) + </span><span class=\"mtk8\">&quot;@sample.com&quot;</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">           }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   }</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">   </span><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk12\">req</span><span class=\"mtk1\">.</span><span class=\"mtk12\">uri</span><span class=\"mtk1\"> + </span><span class=\"mtk8\">&quot;?&quot;</span><span class=\"mtk1\"> + </span><span class=\"mtk12\">keyvaluepairs</span><span class=\"mtk1\">.</span><span class=\"mtk11\">join</span><span class=\"mtk1\">(</span><span class=\"mtk8\">&#39;&&#39;</span><span class=\"mtk1\">);  </span><span class=\"mtk3\">// Construct masked URI</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk15\">return</span><span class=\"mtk1\"> </span><span class=\"mtk12\">req</span><span class=\"mtk1\">.</span><span class=\"mtk12\">uri</span><span class=\"mtk1\">; </span><span class=\"mtk3\">// No query string, return URI</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">}</span></span></code></pre>\n<p>The maskQueryStringParameters function loops through and key-value pair in the query string, searching for individual keys that have been identified as containing personal data. The value is converted into a masked value for each of these keys.</p>\n</li>\n<li>Include <code>maskQueryString.js</code> file in the <code>nginx.config</code> file </li>\n</ol>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"javascript\" data-index=\"5\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">     </span><span class=\"mtk12\">http</span><span class=\"mtk1\"> {</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\"> </span><span class=\"mtk12\">js_include</span><span class=\"mtk1\"> </span><span class=\"mtk12\">maskQueryString</span><span class=\"mtk1\">.</span><span class=\"mtk12\">js</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\"> </span><span class=\"mtk12\">js_set</span><span class=\"mtk1\">     </span><span class=\"mtk12\">$request_uri_masked</span><span class=\"mtk1\"> </span><span class=\"mtk12\">maskQueryStringParameters</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\"> </span><span class=\"mtk12\">log_format</span><span class=\"mtk1\"> </span><span class=\"mtk12\">custom_log_format</span><span class=\"mtk1\"> </span><span class=\"mtk8\">&#39;$remote_addr - $remote_user [$time_local] &#39;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                        </span><span class=\"mtk8\">&#39;&quot;$request&quot; $status $body_bytes_sent $request_uri_masked &#39;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                        </span><span class=\"mtk8\">&#39;&quot;$http_host&quot; &quot;$upstream_response_time&quot;&#39;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">                         </span><span class=\"mtk8\">&#39;&quot;$http_referer&quot; &quot;$http_user_agent&quot; clientId=&quot;$clientid&quot;&#39;</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\"> </span><span class=\"mtk12\">access_log</span><span class=\"mtk1\"> /</span><span class=\"mtk12\">spool</span><span class=\"mtk1\">/</span><span class=\"mtk12\">logs</span><span class=\"mtk1\">/</span><span class=\"mtk12\">nginx</span><span class=\"mtk1\">-</span><span class=\"mtk12\">access</span><span class=\"mtk1\">.</span><span class=\"mtk12\">log</span><span class=\"mtk1\"> </span><span class=\"mtk12\">custom_log_format</span><span class=\"mtk1\">;</span></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">....................</span></span>\n<span class=\"grvsc-line\"></span>\n<span class=\"grvsc-line\"><span class=\"mtk1\">  }</span></span></code></pre>\n<p> In the above example, I am using the <code>maskQueryStringParameters</code> js function and Since we only need to mask the query string, so using a different variable $request<em>uri</em>masked and then using the same variable in the log format. </p>\n<p>3.Reload NGINX service</p>\n<pre class=\"grvsc-container dark-default-dark\" data-language=\"javascript\" data-index=\"6\"><code class=\"grvsc-code\"><span class=\"grvsc-line\"><span class=\"mtk1\">      </span><span class=\"mtk12\">sudo</span><span class=\"mtk1\"> </span><span class=\"mtk12\">nginx</span><span class=\"mtk1\"> -</span><span class=\"mtk12\">s</span><span class=\"mtk1\"> </span><span class=\"mtk12\">reload</span></span></code></pre>\n<p> Now nginx will store <code>token</code>, <code>accountno</code>,  and <code>email</code> in the logs after sanitizing the data. </p>\n<h3 id=\"summery\" style=\"position:relative;\"><a href=\"#summery\" aria-label=\"summery permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summery</h3>\n<p>These best practices will help you keep confidential information out of your logs. It's not a full package that will get you ready for a HIPAA or SOC2 audit, but it'll get you started.</p>\n<p>The NGINX JavaScript module provides a quick and efficient approach for adding custom logic like data sanitizing to request processing. I showed how NGINX JavaScript could be used to mask personal data in the log files.</p>\n<p>You can get more detail about the Nginx logs and mask from here -\n<a href=\"https://www.loginradius.com/blog/engineering/user-privacy-data-masking-in-nginx-logs/\">Nginx - Everything you want to know about the Nginx logs in 10 minutes</a></p>\n<style class=\"grvsc-styles\">\n  .grvsc-container {\n    overflow: auto;\n    -webkit-overflow-scrolling: touch;\n    padding-top: 1rem;\n    padding-top: var(--grvsc-padding-top, var(--grvsc-padding-v, 1rem));\n    padding-bottom: 1rem;\n    padding-bottom: var(--grvsc-padding-bottom, var(--grvsc-padding-v, 1rem));\n    border-radius: 8px;\n    border-radius: var(--grvsc-border-radius, 8px);\n    font-feature-settings: normal;\n  }\n  \n  .grvsc-code {\n    display: inline-block;\n    min-width: 100%;\n  }\n  \n  .grvsc-line {\n    display: inline-block;\n    box-sizing: border-box;\n    width: 100%;\n    padding-left: 1.5rem;\n    padding-left: var(--grvsc-padding-left, var(--grvsc-padding-h, 1.5rem));\n    padding-right: 1.5rem;\n    padding-right: var(--grvsc-padding-right, var(--grvsc-padding-h, 1.5rem));\n  }\n  \n  .grvsc-line-highlighted {\n    background-color: var(--grvsc-line-highlighted-background-color, transparent);\n    box-shadow: inset var(--grvsc-line-highlighted-border-width, 4px) 0 0 0 var(--grvsc-line-highlighted-border-color, transparent);\n  }\n  \n  .dark-default-dark {\n    background-color: #1E1E1E;\n    color: #D4D4D4;\n  }\n  .dark-default-dark .mtk12 { color: #9CDCFE; }\n  .dark-default-dark .mtk1 { color: #D4D4D4; }\n  .dark-default-dark .mtk10 { color: #4EC9B0; }\n  .dark-default-dark .mtk4 { color: #569CD6; }\n  .dark-default-dark .mtk11 { color: #DCDCAA; }\n  .dark-default-dark .mtk7 { color: #B5CEA8; }\n  .dark-default-dark .mtk15 { color: #C586C0; }\n  .dark-default-dark .mtk3 { color: #6A9955; }\n  .dark-default-dark .mtk8 { color: #CE9178; }\n</style>","frontmatter":{"date":"May 18, 2021","updated_date":null,"title":"Data Masking In Nginx Logs For User Data Privacy And Compliance","tags":["Nginx","Logs","Data Masking","Compliance","Privacy"],"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.3333333333333333,"src":"/static/e50f9d5601792a8e4e32b1b89444ca3b/991d2/data-masking-in-nginx-logs-for-user-data-privacy-and-compliance.webp","srcSet":"/static/e50f9d5601792a8e4e32b1b89444ca3b/61e93/data-masking-in-nginx-logs-for-user-data-privacy-and-compliance.webp 200w,\n/static/e50f9d5601792a8e4e32b1b89444ca3b/1f5c5/data-masking-in-nginx-logs-for-user-data-privacy-and-compliance.webp 400w,\n/static/e50f9d5601792a8e4e32b1b89444ca3b/991d2/data-masking-in-nginx-logs-for-user-data-privacy-and-compliance.webp 640w","sizes":"(max-width: 640px) 100vw, 640px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}}]}},"pageContext":{"tag":"Data Masking"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}