Comments (6)
sethtomy
commented on June 2, 2024
24
For those coming to this as I did, please be aware that the serializer will mutate the incoming request.
If your intention is to only remove from the logs:
export const httpLogger = pinoHttp({
logger,
redact: {
paths: 'req.headers.authorization',
}
},
})from pino-http.
jtokoph
commented on June 2, 2024
5
Note that something like delete r.headers['cookie'] will remove the cookie from the request. It's generally safer to have the serializer return a new object for a couple reasons:
- A pure function that doesn't mutate it's input is more likely to be safe and correct.
- Redacting/blocklists will almost always result in leaked data. For example, you might redact the
cookieheader, but a user of your API might attempt to set theAuthorizationheader with an access token. - Redacting/blocklists will need perpetual maintenance. Standards change, and there could be a new sensitive header that your code didn't expect.
Moving to a pure function that specifically pulls out the values you need in your logs is safer. Here is an example of what I've used:
const logger = require('pino-http')({
serializers: {
req: pino.stdSerializers.wrapRequestSerializer((req) => {
return {
id: req.raw.id,
method: req.raw.method,
path: req.raw.url.split('?')[0], // Remove query params which might be sensitive
// Allowlist useful headers
headers: {
host: req.raw.headers.host,
'user-agent': req.raw.headers['user-agent'],
referer: req.raw.headers.referer,
}
};
}),
res: pino.stdSerializers.wrapResponseSerializer((res) => {
return {
statusCode: res.raw.statusCode,
// Allowlist useful headers
headers: {
'content-type': res.raw.headers['content-type'],
'content-length': res.raw.headers['content-length'],
}
};
}),
},
});from pino-http.
kirillgroshkov
commented on June 2, 2024
2
What worked for me (I needed to only delete cookie from headers, not the whole headers):
export const httpLogger = pinoHttp({
logger,
serializers: {
req: pino.stdSerializers.wrapRequestSerializer(r => {
delete r.headers['cookie']
return r
}),
},
})from pino-http.
davidmarkclements
commented on June 2, 2024
So that can be done like so
var http = require('http')
var server = http.createServer(handle)
var logger = require('pino-http')({
serializers: {
req: (req) => ({
id: req.id,
method: req.method,
url: req.url
})
}
})
function handle (req, res) {
logger(req, res)
res.end('hello world')
}
server.listen(3000)That gets rid of header, and also remoteAddress and remotePort
from pino-http.
davidmarkclements
commented on June 2, 2024
serializers needs to be added to readme
from pino-http.
stephenmathieson
commented on June 2, 2024
perfect, thanks!
from pino-http.
Related Issues (20)
- [QUESTION] logging response body HOT 3
- use as middleware example HOT 2
- Documentation: res.log() is only mentioned in quietReqLogger? HOT 8
- [Documentation error]: The value assignment is set before the declaration
- reading 'stringifySym' doesn't work with next.js HOT 5
- IncomingMessage and ServerMessage typings are too specific HOT 2
- Updating for v10 HOT 2
- How can I put context in request completed log (when autoLogging is true) ?
- Release next version HOT 1
- node:util module not found HOT 6
- nestedKey now working properly HOT 1
- Message "request completed" when request not completed HOT 1
- `wrapChild` doesn't pass on options to the created child logger as expected HOT 3
- How best to handle extending req.log? HOT 6
- customProps causes TypeError: logger[stringifySym] is not a function HOT 17
- Type 'Opts' does not satisfy the constraint 'string'.ts(2344) HOT 5
- TypeScript error when using customLevels on pino parent instance HOT 1
- Updating for v9 HOT 3
- Log req only on 1st log from the request HOT 2
- Unable to remove whole req object from response logs HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pino-http.