Masking Sensitive Data¶
Some data should not be transferred outside of the server on which it is processed. Typically, this category includes authorization (cookies, tokens, passwords), personal data and payment credentials. To avoid such data exposure Wallarm provides an ability to mask sensitive data. How to configure this masking is described in this article.
Wallarm provides the Mask sensitive data rule to configure data masking. The Wallarm node sends the following data to the Wallarm Cloud:
-
Serialized requests with attacks
-
Wallarm system counters
-
System statistics: CPU load, RAM usage, etc.
-
Wallarm system statistics: number of processed NGINX requests, Tarantool statistics, etc.
-
Information on the nature of the traffic that Wallarm needs to correctly detect application structure
The Mask sensitive data rule cuts the original value of the specified request point before sending the request to the postanalytics module and Wallarm Cloud. This method ensures that sensitive data cannot leak outside the trusted environment.
It can affect the display of attacks, active attack (threat) verification, and the detection of brute force attacks.
Creating and applying rule¶
To set and apply data mask:
-
Proceed to Wallarm Console → Rules → Add rule.
-
In If request is, describe the scope to apply the rule to.
-
In Then, choose Mask sensitive data.
-
In In this part of request, specify request points for which its original value should be cut.
-
Wait for the rule compilation to complete.
Example: masking of a cookie value¶
Let us say your application accessible at the example.com
domain uses the PHPSESSID
cookie for user authentication and you want to deny access to this information for employees using Wallarm.
To do so, set the Mask sensitive data rule as displayed on the screenshot.
Note that options you add to In this part of request should go in a particular order to reflect in which order Wallarm will apply parsers to read the required request element.