The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Sometimes it is necessary to sanitize, i.e., remove, sensitive data sent to Elastic APM.
This config accepts a list of wildcard patterns of field names which control how an agent will sanitize data.
| Type | List<WildcardMatcher> |
| Default | password, passwd, pwd, secret, *key, *token*, *session*, *credit*, *card*, *auth*, set-cookie, *principal* |
| Dynamic | true |
| Central config | true |
Agents MUST provide a minimum default configuration of
[ 'password', 'passwd', 'pwd', 'secret', '*key', '*token*', '*session*',
'*credit*','*card*', '*auth*', 'set-cookie', '*principal*' ]
for the sanitize_field_names configuration value. Agent's MAY include the
following extra fields in their default configuration to avoid breaking changes
['pw','pass','connect.sid']
If a payload field's name (a header key, a form key) matches a configured
wildcard, that field's value MUST be redacted and the key itself
MUST still be reported in the agent payload. Agents MAY choose the string
they use to replace the value so long as it's consistent and does not reveal
the value it has replaced. The replacement string SHOULD be [REDACTED].
Fields that MUST be sanitized are:
- HTTP Request and Response headers (except HTTP/2 pseudo-headers which SHOULD NOT be redacted),
- form fields in an
application/x-www-form-urlencodedrequest body, and - HTTP Request cookies.
Additionally, if cookie headers are parsed into name/value pairs and reported
to APM Server via the agent (for example, transaction.context.request.cookies), the
values of these pairs MUST be sanitized and the cookie header removed or redacted.
The query string and other captured request bodies (such as application/json)
SHOULD NOT be sanitized.
Agents SHOULD NOT sanitize fields based on the value of a particular field.