Obfuscate sensitive request data with morgan in node.js

With the upcoming GDPR legislation in Europe the team I’m in has had a compliance mindset over the previous few weeks. We’ve rearchitected and written brand new services with mind to ‘the right to be forgotten’ online. One other thing is the handling of ‘PII’ or Personally Identifiable Information. Email addresses are one of these things.

If like us you use node.js and morgan logging in some of your applications, you know that it likes to log your requests. But what if those requests being logged contain sensitive information like email addresses? What if you have:

GET /account-details/my-email@email.com/addresses 200 32ms

In your morgan logs? If this is persisted, you have a big problem in GDPR-land.

This is where custom formatters come in! Instead of this:

app.use(morgan('combined'))

Use something like this:

app.use(morgan((tokens, request, response) => {
    return [
        tokens.method(request, response),
        obfuscator.obfuscate(tokens.url(request, response)),
        tokens.status(request, response),
        tokens['response-time'](request, response), 'ms'
    ].join(' ')
}));

Where obfuscator.obfuscate(str) is you own home-grown function to replace the data you want with a hidden string. Something like this:

function obfuscate(urlToObfuscate) {
    if(urlToObfuscate.includes('@')) {
        return urlToObfuscate.replace(\(\/account-details\/).*(\/.+)/,  '$1REDACTED$2');
    } else return urlToObfuscate;
}

module.exports = {
    obfuscate
};

This is strictly an example, tailor it to your needs!

Now your morgan logger will call obfuscator.obfuscate(tokens.url(request, response)) each time it wishes to log, safely preventing that all-important PII from appearing in your logs. Now you’ll get something like this:

GET /account-details/REDACTED/addresses 200 32ms

Hope this was useful, don’t forget to give it a clap if you did and share around.