Log changes to sensitive field but do not log values

Created on 23 May 2025, 14 days ago

Problem/Motivation

Some fields contain sensitive data (eg API keys etc) and the values should not be recorded in the log.
But log should contain which user has updated the key and when.

Steps to reproduce

Log record now:
Configuration changed: hubspot_api.settings.access_key changed from 123-124-125 to 222-444-555 at 1748009132

Proposed resolution

Add a configuration setting and text field on settings form (similar to "Configuration entity names to ignore") to not log config property value.

Proposed log record:
Configuration changed: hubspot_api.settings.access_key changed by user j.smith at 1748009132

Remaining tasks

- update settings to include new property "Do not log value of config property"
- update config settings form
- update logging logic

User interface changes

- settings form to include a new text field

API changes

- none

Data model changes

- update settings to include new property "Do not log value of config property"

This will help to prevent any leaks of API keys and other sensitive data.

Feature request
Status

Active

Version

4.0

Component

Code

Created by

🇦🇺Australia jannakha Brisbane!

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024