Skip to content

Masking Sensitive Data

It is crucial that sensitive data in your requests remains secure within your infrastructure and is not transmitted to any third-party service including Wallarm Cloud. This goal is achieved using the shared responsibility model: from its side, Wallarm transmits no data except the one about malicious requests, which makes exposure of sensitive data highly unlikely - from your side, masking of sensitive data is expected which additionally guarantees that protected information fields will never leave your security perimeter.

Wallarm provides the Mask sensitive data rule to configure data masking. The Wallarm node sends the following data to the Wallarm Cloud:

  • Serialized requests with attacks

  • Wallarm system counters

  • System statistics: CPU load, RAM usage, etc.

  • Wallarm system statistics: number of processed NGINX requests, Tarantool statistics, etc.

  • Information on the nature of the traffic that Wallarm needs to correctly detect application structure

The Mask sensitive data rule cuts the original value of the specified request point before sending the request to the postanalytics module and Wallarm Cloud. This method ensures that sensitive data cannot leak outside the trusted environment.

It can affect the display of attacks, active attack (threat) verification, and the detection of brute force attacks.

Creating and applying rule

To set and apply data mask:

  1. Proceed to Wallarm Console → RulesAdd rule.

  2. In If request is, describe the scope to apply the rule to.

  3. In Then, choose Mask sensitive data.

  4. In In this part of request, specify request points for which its original value should be cut.

  5. Wait for the rule compilation to complete.

Let us say your application accessible at the example.com domain uses the PHPSESSID cookie for user authentication and you want to deny access to this information for employees using Wallarm.

To do so, set the Mask sensitive data rule as displayed on the screenshot.

Note that options you add to In this part of request should go in a particular order to reflect in which order Wallarm will apply parsers to read the required request element.

Marking sensitive data