Config: Do not log URL parameters. (!12878) · Merge requests · vpe-public / forks / ingress-nginx

Placeholder Richard Tweed requested to merge github/fork/RichardoC/dont-log-query-params into main Feb 21, 2025

What this PR does / why we need it:

The default logging configuration will capture the url query strings, which often have sensitive information in them [1] This PR changes that behaviour so these are no longer logged by default.

This has already been reported to security@kubernetes.io, and they said to open a public PR about it.

[1] https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
CVE Report (Scanner found CVE and adding report)
Breaking change (fix or feature that would cause existing functionality to change)
Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Already running with this configuration on my own cluster

Checklist:

My change requires a change to the documentation.
I have updated the documentation accordingly.
I've read the CONTRIBUTION guide
I have added unit and/or e2e tests to cover my changes.
[] All new and existing tests passed.

Config: Do not log URL parameters.

What this PR does / why we need it:

Types of changes

Which issue/s this PR fixes

How Has This Been Tested?

Checklist:

Merge request reports