diff --git a/docs/guide/runtime-logging.md b/docs/guide/runtime-logging.md index 041150abd2c..7bccee119c1 100644 --- a/docs/guide/runtime-logging.md +++ b/docs/guide/runtime-logging.md @@ -217,14 +217,20 @@ Or if you want to implement your own way of providing context information, you m [[yii\log\Target::getContextMessage()]] method. In case some of your request fields contain sensitive information you would not like to log (e.g. passwords, access tokens), -you may additionally configure `maskVars` property. By default, the following request parameters will be masked with `***`: +you may additionally configure `maskVars` property, which can contain both exact values and (case-insensitive) patterns. By default, +the following request parameters will be masked with `***`: `$_SERVER[HTTP_AUTHORIZATION]`, `$_SERVER[PHP_AUTH_USER]`, `$_SERVER[PHP_AUTH_PW]`, but you can set your own: ```php [ 'class' => 'yii\log\FileTarget', 'logVars' => ['_SERVER'], - 'maskVars' => ['_SERVER.HTTP_X_PASSWORD'] + 'maskVars' => [ + '_SERVER.HTTP_X_PASSWORD', + '_SERVER.*_SECRET', // matches all ending with "_SECRET" + '_SERVER.SECRET_*', // matches all starting with "SECRET_" + '_SERVER.*SECRET*', // matches all containing "SECRET" + ] ] ``` diff --git a/framework/log/Target.php b/framework/log/Target.php index 8e87160c496..a56d9efbf00 100644 --- a/framework/log/Target.php +++ b/framework/log/Target.php @@ -92,6 +92,11 @@ abstract class Target extends Component * - `var` - `var` will be logged as `***` * - `var.key` - only `var[key]` will be logged as `***` * + * In addition, this property accepts (case-insensitive) patterns. For example: + * - `_SERVER.*_SECRET` matches all ending with `_SECRET`, such as `$_SERVER['TOKEN_SECRET']` etc. + * - `_SERVER.SECRET_*` matches all starting with `SECRET_`, such as `$_SERVER['SECRET_TOKEN']` etc. + * - `_SERVER.*SECRET*` matches all containing `SECRET` i.e. both of the above. + * * @since 2.0.16 */ public $maskVars = [