I want to make sure that exception logging does not log sensitive information (i.e. Twitter, Github recent breaches).
I have code that looks like this:
ServiceExceptionHandlers.Add((req, request, exception) =>
{
string headers = GetInterestingHeaders(req.Headers);
// log exception
Logger.Error($$"{req.OperationName} failed. {headers}", ex: exception, data: request);
// call default exception handler
return DtoUtils.CreateErrorResponse(request, exception);
});
UncaughtExceptionHandlers.Add((req, res, operationName, ex) =>
{
if (ex is HttpException)
{
res.EndRequest();
}
else
{
string headers = GetInterestingHeaders(req.Headers);
Logger.Fatal($$"Error for {operationName}: {ex.GetType().Name}: {headers}", ex: ex, data: req.Dto);
}
});
As you can see I pass an Object to the logging mechanism which then takes the data field and turns it into JSON for storage:
JsonSerializer.SerializeToString(data).
Because the data going into the JsonSerializer can come from anywhere and possibly even contain anything, is it possible to create an overriden type of JsonSerializer (for example SecureJsonSerializer) which would find fields containing strings like Password or Credit or Card and turn their inputs into ###'s? Or is there a better way to go about doing something like this?