Skip to content

Feature Request: Automatic Data Masking and Redaction for Sensitive Custom Fields #320

New issue
New issue
Open
Open
Feature Request: Automatic Data Masking and Redaction for Sensitive Custom Fields#320
@KarstenSchnitter

Description

@KarstenSchnitter
KarstenSchnitter
opened on Dec 12, 2025

Currently, if a developer adds a custom field containing sensitive information (e.g., PII, passwords, API tokens) via MDC, the Fluent API, or a ContextFieldSupplier, there is a risk of this data being written to logs in plain text.

This poses a significant security and compliance risk, as sensitive data can be inadvertently exposed in log aggregation platforms. Relying on individual developers to manually sanitize or avoid logging this data is error-prone and not a scalable solution for large teams or enterprise applications.

The logging encoders (JsonEncoder for Logback, JsonPatternLayout for Log4j2) should be extended to automatically mask or redact the values of specified custom fields before they are written to the final JSON log.
This feature should be configurable within the logback.xml or log4j2.xml files, allowing operators to define a list of field keys whose values should always be masked.

A developer or operator would configure a list of sensitive field keys in their logging configuration.

Example with Logback (logback.xml)

<configuration>
    <appender name="STDOUT-JSON" class="ch.qos.logback.core.ConsoleAppender">
        <encoder class="com.sap.hcp.cf.logback.encoder.JsonEncoder">
            <!-- New configuration to specify fields to mask -->
            <maskedFields>password,ssn,user_token</maskedFields>
            
            <!-- Optional: Configure the replacement text -->
            <maskValue>[REDACTED]</maskValue>
        </encoder>
    </appender>
    
    <root level="INFO">
        <appender-ref ref="STDOUT-JSON" />
    </root>
</configuration>

Example with Log4j2 (log4j2.xml)

<Configuration>
    <Appenders>
        <Console name="STDOUT-JSON" target="SYSTEM_OUT">
            <JsonPatternLayout>
                <!-- New configuration to specify fields to mask -->
                <maskedFields>password,ssn,user_token</maskedFields>
                
                <!-- Optional: Configure the replacement text -->
                <maskValue>[REDACTED]</maskValue>
            </JsonPatternLayout>
        </Console>
    </Appenders>
    <Loggers>
        <Root level="INFO">
            <AppenderRef ref="STDOUT-JSON" />
        </Root>
    </Loggers>
</Configuration>

Given the configuration above, if the application code is:

LOG.atInfo()
   .addKeyValue("user_id", "test-user")
   .addKeyValue("user_token", "abc-def-123-456") // This is a sensitive key
   .log("User logged in successfully");

The expected log output would be:

{
  "level": "INFO",
  "msg": "User logged in successfully",
  "user_id": "test-user",
  "user_token": "[REDACTED]"  // The sensitive value is automatically masked
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions