Pino Redaction' A Simple Solution to Secure Logging in Node.js Applications
22 Feb 2023Pino is a popular and fast Node.js logging library that is designed for high-performance and low-overhead logging. It has many useful features, including support for structured logging, log levels, and log redaction.
Pino logging redaction allows you easily redact sensitive information logs, ensuring applications remain secure and compliant with regulations.
In this post, we'll take a closer look at Pino logging redaction functionality, what it is, and how it can be used with examples.
What is Pino logging redaction?
Pino logging redaction is a feature that allows you to mask or remove sensitive data such as passwords, access tokens, or credit card numbers from logs. Redacting this data can help to protect it from unauthorized access, reduce the risk of data breaches and ensure compliance with things like GDPR.
Pino provides a simple way to configure redaction in your logs. You can use the redact option to define a list of properties that should be redacted from your logs. You can also specify a replacement value for the redacted properties, which is useful when you need to keep some information but want to mask certain parts.
Examples of Pino logging redaction
Let's take a look at some examples of how to use Pino logging redaction.
Redacting a single property
Suppose you have a log entry that contains a password field. You want to redact the password from the log. Here's how you can do it:
import pino from 'pino';
const logger = pino({
transport: {
target: 'pino-pretty',
},
redact: ['password'],
});
logger.info(
{
password: 'myPassword123',
payment: {
card: {
number: '1234-5678-1234-5678',
issuer: 'Visa',
},
},
},
'Log message'
);which outputs:
[19:00:28.282] INFO (7132): Log message
password: "[Redacted]"
payment: {
"card": {
"number": "1234-5678-1234-5678",
"issuer": "Visa"
}
}Redacting nested properties
Sometimes, you may need to redact multiple properties from your logs. Here's an example that redacts a credit card number property from the log output.
import pino from 'pino';
const logger = pino({
transport: {
target: 'pino-pretty',
},
redact: ['password', 'payment.card.number'],
});
logger.info(
{
password: 'myPassword123',
payment: {
card: {
number: '1234-5678-1234-5678',
issuer: 'Visa',
},
},
},
'Log message'
);which outputs:
[19:00:28.282] INFO (7132): Log message
password: "[Redacted]"
payment: {
"card": {
"number": "[Redacted]",
"issuer": "Visa"
}
}Using the censor property
You can use the censor property to control how information is redacted.
import pino from 'pino';
const logger = pino({
transport: {
target: 'pino-pretty',
},
redact: {
paths: ['password', 'payment.card.number'],
censor: '🤫',
},
});
logger.info(
{
password: 'myPassword123',
payment: {
card: {
number: '1234-5678-1234-5678',
issuer: 'Visa',
},
},
},
'Log message'
);which outputs:
[19:00:28.282] INFO (7132): Log message
password: "🤫"
payment: {
"card": {
"number": "🤫",
"issuer": "Visa"
}
}Removing sensitive data
Sometimes you may want to remove sensitive data from your logs altogether. You can do this by setting the remove property to true.
import pino from 'pino';
const logger = pino({
transport: {
target: 'pino-pretty',
},
redact: {
paths: ['password', 'payment.card.number'],
remove: true,
},
});
logger.info(
{
password: 'myPassword123',
payment: {
card: {
number: '1234-5678-1234-5678',
issuer: 'Visa',
},
},
},
'Log message'
);which outputs:
[19:00:28.282] INFO (7132): Log message
payment: {
"card": {
"issuer": "Visa"
}
}