https://github.com/nblumhardt/serilog-redaction

Sample project demonstrating a more complete approach to Serilog text redaction
https://github.com/nblumhardt/serilog-redaction

Last synced: 2 months ago
JSON representation

Sample project demonstrating a more complete approach to Serilog text redaction

• Host: GitHub
• URL: https://github.com/nblumhardt/serilog-redaction
• Owner: nblumhardt
• License: apache-2.0
• Created: 2024-02-25T21:38:21.000Z (over 1 year ago)
• Default Branch: dev
• Last Pushed: 2024-02-26T01:25:05.000Z (over 1 year ago)
• Last Synced: 2025-03-21T15:12:27.035Z (2 months ago)
• Language: C#
• Size: 11.7 KB
• Stars: 5
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# serilog-redaction

A sample project demonstrating a more complete approach to Serilog text redaction.

This improves on widely-available implementations of redaction with Serilog by processing message templates,

exceptions (messages, types, stack traces), and property names — all of which are frequently overlooked.

See `Program.cs` for the complete example.

## Security

This example **does not consider redaction to be a security boundary**: applying redaction does not make the

resulting log output safe enough for public/untrusted display.

Redaction can improve the security of systems, and serve as an additional safeguard for secrets or PII, but it

is not sufficient as a primary protection. As an example, text encodings, Unicode handling, and culture-specific

formatting quirks provide broad vectors for subverting redaction attempts.

However, if you're able to find a way to exfiltrate redacted information that the example doesn't account for,

please raise an issue!

> As the code serves as an example only, it doesn't include tests.

## Performance

Redaction has a performance cost in scanning for redaction targets, and allocating replacements for redacted event

components. For many use cases this will be inconsequential, but if performance is critical, consider implementing

a mechanism for reviewing and marking high-frequency events as "safe", to bypass redaction.

> As this code is an example, only the simplest, most obvious performance optimizations are made. There are many

> low-hanging fruit remaining.

## Data validity

Redacting property names in events and structured data means that the output may no longer follow an expected format

or schema. This is considered of secondary importance compared with the need to limit propagation of redacted info, but

it's worth keeping in mind.