1 | # Redaction
|
2 |
|
3 | > Redaction is not supported in the browser [#670](https://github.com/pinojs/pino/issues/670)
|
4 |
|
5 | To redact sensitive information, supply paths to keys that hold sensitive data
|
6 | using the `redact` option:
|
7 |
|
8 | ```js
|
9 | const logger = require('.')({
|
10 | redact: ['key', 'path.to.key', 'stuff.thats[*].secret']
|
11 | })
|
12 |
|
13 | logger.info({
|
14 | key: 'will be redacted',
|
15 | path: {
|
16 | to: {key: 'sensitive', another: 'thing'}
|
17 | },
|
18 | stuff: {
|
19 | thats: [
|
20 | {secret: 'will be redacted', logme: 'will be logged'},
|
21 | {secret: 'as will this', logme: 'as will this'}
|
22 | ]
|
23 | }
|
24 | })
|
25 | ```
|
26 |
|
27 | This will output:
|
28 |
|
29 | ```JSON
|
30 | {"level":30,"time":1527777350011,"pid":3186,"hostname":"Davids-MacBook-Pro-3.local","key":"[Redacted]","path":{"to":{"key":"[Redacted]","another":"thing"}},"stuff":{"thats":[{"secret":"[Redacted]","logme":"will be logged"},{"secret":"[Redacted]","logme":"as will this"}]}}
|
31 | ```
|
32 |
|
33 | The `redact` option can take an array (as shown in the above example) or
|
34 | an object. This allows control over *how* information is redacted.
|
35 |
|
36 | For instance, setting the censor:
|
37 |
|
38 | ```js
|
39 | const logger = require('.')({
|
40 | redact: {
|
41 | paths: ['key', 'path.to.key', 'stuff.thats[*].secret'],
|
42 | censor: '**GDPR COMPLIANT**'
|
43 | }
|
44 | })
|
45 |
|
46 | logger.info({
|
47 | key: 'will be redacted',
|
48 | path: {
|
49 | to: {key: 'sensitive', another: 'thing'}
|
50 | },
|
51 | stuff: {
|
52 | thats: [
|
53 | {secret: 'will be redacted', logme: 'will be logged'},
|
54 | {secret: 'as will this', logme: 'as will this'}
|
55 | ]
|
56 | }
|
57 | })
|
58 | ```
|
59 |
|
60 | This will output:
|
61 |
|
62 | ```JSON
|
63 | {"level":30,"time":1527778563934,"pid":3847,"hostname":"Davids-MacBook-Pro-3.local","key":"**GDPR COMPLIANT**","path":{"to":{"key":"**GDPR COMPLIANT**","another":"thing"}},"stuff":{"thats":[{"secret":"**GDPR COMPLIANT**","logme":"will be logged"},{"secret":"**GDPR COMPLIANT**","logme":"as will this"}]}}
|
64 | ```
|
65 |
|
66 | The `redact.remove` option also allows for the key and value to be removed from output:
|
67 |
|
68 | ```js
|
69 | const logger = require('.')({
|
70 | redact: {
|
71 | paths: ['key', 'path.to.key', 'stuff.thats[*].secret'],
|
72 | remove: true
|
73 | }
|
74 | })
|
75 |
|
76 | logger.info({
|
77 | key: 'will be redacted',
|
78 | path: {
|
79 | to: {key: 'sensitive', another: 'thing'}
|
80 | },
|
81 | stuff: {
|
82 | thats: [
|
83 | {secret: 'will be redacted', logme: 'will be logged'},
|
84 | {secret: 'as will this', logme: 'as will this'}
|
85 | ]
|
86 | }
|
87 | })
|
88 | ```
|
89 |
|
90 | This will output
|
91 |
|
92 | ```JSON
|
93 | {"level":30,"time":1527782356751,"pid":5758,"hostname":"Davids-MacBook-Pro-3.local","path":{"to":{"another":"thing"}},"stuff":{"thats":[{"logme":"will be logged"},{"logme":"as will this"}]}}
|
94 | ```
|
95 |
|
96 | See [pino options in API](/docs/api.md#redact-array-object) for `redact` API details.
|
97 |
|
98 | <a name="paths"></a>
|
99 | ## Path Syntax
|
100 |
|
101 | The syntax for paths supplied to the `redact` option conform to the syntax in path lookups
|
102 | in standard EcmaScript, with two additions:
|
103 |
|
104 | * paths may start with bracket notation
|
105 | * paths may contain the asterisk `*` to denote a wildcard
|
106 |
|
107 | By way of example, the following are all valid paths:
|
108 |
|
109 | * `a.b.c`
|
110 | * `a["b-c"].d`
|
111 | * `["a-b"].c`
|
112 | * `a.b.*`
|
113 | * `a[*].b`
|
114 |
|
115 | ## Overhead
|
116 |
|
117 | Pino's redaction functionality is built on top of [`fast-redact`](http://github.com/davidmarkclements/fast-redact)
|
118 | which adds about 2% overhead to `JSON.stringify` when using paths without wildcards.
|
119 |
|
120 | When used with pino logger with a single redacted path, any overhead is within noise -
|
121 | a way to deterministically measure it's effect has not been found. This is because its not a bottleneck.
|
122 |
|
123 | However, wildcard redaction does carry a non-trivial cost relative to explicitly declaring the keys
|
124 | (50% in a case where four keys are redacted across two objects). See
|
125 | the [`fast-redact` benchmarks](https://github.com/davidmarkclements/fast-redact#benchmarks) for details.
|
126 |
|
127 | ## Safety
|
128 |
|
129 | The `redact` option is intended as an initialization time configuration option.
|
130 | It's extremely important that path strings do not originate from user input.
|
131 | The `fast-redact` module uses a VM context to syntax check the paths, user input
|
132 | should never be combined with such an approach. See the [`fast-redact` Caveat](https://github.com/davidmarkclements/fast-redact#caveat)
|
133 | and the [`fast-redact` Approach](https://github.com/davidmarkclements/fast-redact#approach) for in-depth information.
|