Don't log scout key #297
Comments
|
For future googlers this is our wokaround until this issue is solved: And here are the tests: This is brittle (to put it mildly), so we'd love to see some progress on this issue. |
|
Hi @sburba Scout 2.14.3 has been released with a fix. We no longer log the full key, but instead the first 3 characters and a boolean indicating if it matches our normal pattern. We get many support issues for misconfigured keys so having quality log data about it lets us deal with these issues quickly. By the way, the scout key is not a particularly high risk API key. It's write-only, so if an attacker got it they could only send fake data to make your Scout charts inaccurate. Thanks for the push and let us know how if you have any problems with the new version, Adam |
|
Thanks! Love to see the quick change and we'll be sure to update. |
Currently we log the scout key from configuration and in the register method at startup. Security conscious companies don't want license keys in their log files. We should avoid logging the key, though perhaps a hash or a substring could be useful.
The text was updated successfully, but these errors were encountered: