Log Masking
Prevent sensitive data from appearing in the web UI and log files.
Mask environment variables
[masking]
env_vars = ["API_KEY", "DB_PASSWORD", "SECRET_TOKEN"]
Any occurrence of the environment variable's value in stdout or stderr is replaced with ***.
Mask patterns
[masking]
patterns = [
"(api[_-]?key)[=:]\\s*\\S+",
"Bearer\\s+\\S+",
"password[=:]\\s*\\S+"
]
Regex patterns are compiled at startup. Any match in log output is replaced with ***.
When masking applies
- stdout displayed in the web UI
- stderr displayed in the web UI
- Masking is applied at display time — raw logs on disk are unmodified
Best practices
- Always mask secrets passed as environment variables
- Use regex patterns for secrets that appear in API responses
- Combine both approaches for defense in depth