Masking Security-Sensitive Data in the HTTP Access Log

Use

The HTTP Provider Service applies masking to the value of security-sensitive URL parameters, cookies, or headers that might be sent with the request. Those values appear as five dots in the relevant log file. The masking can be applied for both Common Log File format, and the SAP log format that you might be using. For more information about log formats, see Logging in Common Log File Format .

When using HTTP communication logging, you should consider your security policy, user access rights to log files and the mechanisms that deployed Java EE applications use to exchange security sensitive information over HTTP.

The following is a list of all elements masking applies to:

Path Parameters

jsessionid

Request Parameters

j_password
j_username
j_sap_password
j_sap_again
oldPassword
confirmNewPassword
ticket

HTTP Headers

Authorization
Cookie
- JSESSIONID
- MYSAPSSO2

The same masking applies to the above elements also in cases when the communication is performed over HTTPS.