Skip to main content

Sensitive data masking

Sensitive data masking limits risk to your organization and helps meet compliance requirements.

Data masking protects sensitive data in your applications by redacting it in vulnerability and attack reports that are sent to Contrast, syslog or security log.

Contrast offers several categories of sensitive data, or data types, that are comprised of specific keywords that the agent automatically identifies and redacts in reports. A user with at least RulesAdmin permissions can manage sensitive data.

Contrast agents mask sensitive data in query parameters, request headers, cookies and body. Your agent identifies sensitive data by searching for specific keywords used in the input name. If the agent finds a match, it redacts the value for that input, and replaces it with a placeholder with the format contrast-redacted-{datatype}, where datatype is the category of sensitive data to which the keyword belongs.

Contrast agents do not mask individual fields in request bodies with a content type other than application/x-www-form-urlencoded; however, you can configure the agent to mask the entire request body. Contrast agents also do not mask data that appears in the data flow portion of a vulnerability report, if using Assess, or in the vector of an attack event, if using Protect.


Contrast agents make a “best effort” attempt to avoid printing sensitive data in Contrast log statements; however, it’s possible that sensitive data could appear in the Contrast log, if the log level is set to DEBUG or lower. Whenever possible, you should avoid setting production systems to log at DEBUG or lower. If a system that deals with sensitive data is set to log at DEBUG or lower, you should take steps to ensure that those logs are not being sent to an external system to avoid leaking any sensitive data.

For example, this HTTP request sent by an agent as part of a vulnerability report shows two inputs that the agent identified as sensitive, as well as the placeholders it used to mask the values of the input before sending the report to Contrast, syslog server or security log.

PUT /employee/5 HTTP/1.1 
Content-Type: application/x-www-form-urlencoded 
Content-Length: 30 
apikey: contrast-redacted-authentication-info 


In this case, the header value is masked because "apikey" matches a keyword in the "Authentication Info" data type, and the form parameter is redacted because "ssn" matches a keyword in the "Government ID" data type for your Contrast organization. (Keyword matches are case insensitive.)