httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Fri, 08 Jun 2012 22:14:56 GMT
On 6/8/2012 12:52 PM, Jim Riggs wrote:
> Having the forensic logs available has proven extremely helpful in this scenario. Might
the full, unfiltered forensic data be valuable? Yes, but I don't believe the security risk
is worth it in my situation. The rare case where an Authorization header might be truly useful
for debugging or RCA is vastly overshadowed by the usefulness of the rest of the request information
stored in the forensic log.

I'd think this use case represents the minority - seems to me that since
the module already supports writing to a pipe, a simple run through sed
or perl -p -e should be enough for those who would like to run this in
production all the time.

If a code change is really what the community thinks is needed, it
should become an optional parameter disabled by default. Should we run
down that path, it becomes an exercise in figuring out how we give the
administrator the option of disabling certain headers from being printed
with the flexibility for that administrator to define a match that can
suit every need (headers of various names and cookies of various names
being the more recently discussed items).

Daniel Ruggeri

View raw message