search close

Data Redactions

access_time Updated Sep 26, 2021

To maintain Data Privacy, Signal Sciences redacts sensitive data from requests before they reach the platform backend.

Selective data transfer and redaction

The Signal Sciences agent filters requests locally to determine if they contain an attack. Only requests that are marked as attacks or anomalies are then sent to the Signal Sciences backend after additional filtering and sanitizing are done. Once the agent identifies a potential attack or anomaly in a request, the agent sends only the individual parameter of the request which contains the attack payload, as well as a few other non-sensitive or benign portions of the request (such as client IP, user agent, URI, etc.) The entire request is never sent to the Signal Sciences backend. Additionally, specific portions of the request are automatically redacted and never sent to the backend, including tokens, credentials, and known patterns such as credit card and social security numbers.

Sensitive headers

Signal Sciences redacts the following from requests:

  • Explicit names: authorization, x-auth-token, cookie, set-cookie
  • Any names that contain: -token, -auth, -key, -sess, -pass, -secret
  • Query strings from referer and location

The initial request:

POST /example?sort=ascending HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Accept: text/html, application/xhtml+xml
Content-Length: 57
Cookie: foo=bar

sensitive=hunter2&foobar=<script>alert(1)</script>&page=3

What’s sent to Signal Sciences:

POST /example HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)

foobar=<script>alert(1)</script>

Sensitive parameters

If a request contains an attack or anomaly, and also contains sensitive data in commonly-used parameter names, Signal Sciences will redact the entire contents of the sensitive parameter. These parameters include:

  • api_key
  • password
  • passwd
  • pass
  • pw
  • user
  • login
  • loginid
  • username
  • email
  • key
  • id
  • sid
  • token
  • request_token
  • access_token
  • csrfmiddlewaretoken
  • oauth_verifier
  • confirm_password
  • orpassword_confirmation

The initial request:

POST /example HTTP/1.1

username=<script>alert("jsmith")</script>

What’s sent to Signal Sciences:

POST /example HTTP/1.1

username=[redacted]

The console clearly displays which parameters have been redacted. Redacted parameters are replaced with the word REDACTED highlighted in yellow.

A redacted parameter. The parameter is replaced with the word 'REDACTED' highlighted in yellow.

Sensitive patterns

Signal Sciences automatically redacts known patterns of sensitive information, which includes the following:

  • Credit card numbers: values like 4111-1111-1111-1111 become 0000-0000-0000-0000
  • Social security numbers: values like 078-05-1120 become 000-00-0000
  • GUIDs: values like 3F2504E0-4F89-41D3-9A0C-0305E82C3301 become 0000000-0000-0000-0000-000000000000
  • Bank account (IBAN) numbers: values like DE75512108001245126199 become AA00aaaa0000000

The initial request:

POST /example HTTP/1.1

credit_card_example=<script>alert("4111-1111-1111-1111")</script>

What’s sent to Signal Sciences:

POST /example HTTP/1.1

credit_card_example=<script>alert("0000-0000-0000-0000")</script>

Within the console we clearly display which patterns have been redacted. Redacted patterns are replaced with the word REDACTED highlighted in yellow.

A redacted parameter. The parameter is replaced with the word 'REDACTED' highlighted in yellow.

Custom redactions

In addition to the redactions listed above, you can also specify additional fields to redact from requests. For example, if your password field is named “foobar” instead of “password”, that field can be specified for redaction. Specify additional fields for redaction by following these steps:

  1. Go to Site Rules > Redactions and click on New redaction
  2. Enter the field to be redacted
  3. Select the type of field to be redacted (Request Parameter, Request Header, or Response Header)
  4. Click Create redaction

Transparency

To allow for easy verification of what the agent sends to the backend, Signal Sciences provides a way to view all agent to backend communication. Go to the Agents page in your console, click on an Agent ID and navigate to the Requests tab. It’s also available from the agent itself by running it with the debug-log-uploads=0|1|2 command line argument. Additional information about agent configuration options can be found in our Agent Configuration guide.