Here at RIMdev, we are unapologetic about our love for static websites. Folks, static sites are the future! That said, there are times we...
asp.net core staticWe use Microsoft Azure Application Insights in our web applications. It logs tons of useful data about our applications, including web re...
.NETURLs are the bridges that connect our little island of a website to the bigger continent known as the Internet. Preserving URL integrity ...
IIS Azure SEOWe are in the process of deprecating many smaller subdomain app services and serving the same content through our flagship site. This pos...
Windows AzureIf you build .NET Core apps on your Mac and install https certificates to your keychain for development purposes, it’s helpful to know th...
Keychain MacOS CertificatesStandard Polyfills for Front End Getting your JavaScript applications working across all browsers is challenging. If you are writing you...
JavaScript Webpack PolyfillsStatic site hosting is straightforward, and from our experience, less likely to have errors compared to a more dynamic site. While dynami...
Azure StaticSeveral months ago, Bill Boga and I, realized there was a performance enhancement we could make in our infrastructure. We were utilizing ...
.NET PerformanceThis post covers augmenting an authenticated User for use in middleware or when using the [Authorize]-attribute in an MVC-controller. The...
ASP.NET Core IdentitySever AuthenticationIf you’re like me, you aspire to write clean and consistent scss. We use the power of scss for everything from nesting our selectors, cre...
SASSFeature flags can be useful for changing the runtime behavior of an application with minimal impact. Having a UI to toggle the feature fl...
.NET asp.net coreWhat is a machine key? According to https://docs.microsoft.com/en-us/dotnet/api/system.web.security.machinekey?view=netframework-4.7.2 a...
.NET asp.netWe’re in the process of upgrading our infrastructure to run our Azure Web Apps in multiple datacenter locations behind Azure Traffic Mana...
.NET asp.net asp.net coreIt can be tricky to run integration tests targeting a web server using the command line. Essentially, we need to: Start the applicati...
JavaScript npmI was trying to get a global .NET Core tool working on my development machine, which just so happens to be running macOS. I also work wit...
.NET macOSWe’ve moved around CSS frameworks in the past few years, Semantic UI for our application layer, and Bootstrap for our static sites. As ou...
SASSNew to the frontend at RIMdev, or looking for more about our Frontend team? Here’s a quick overview of our team, tools, and culture! As ...
Team RIMdev FrontendSimple transitions Vue.js has an extremely helpful was to handle animations in web apps. In a simple example if we want to display somet...
Vue.js JavaScript AnimationsAs web applications have gotten more complex, so has the technologies used to build them. Magic can be good when all works as intended, b...
Webpack JavascriptWe use Microsoft Azure Application Insights in our web applications. It logs tons of useful data about our applications, including web requests and requests to dependencies like databases. We also use Elasticsearch communicating over HTTPS. When an Elasticsearch url contains a password (https://user:[email protected]) we found it is logged to Application Insights in cleartext.
That said, here’s how to redact the password from any urls containing passwords:
Here’s an ITelemetryProcessor implementation that redacts passwords from HTTP and HTTPS urls.
using Microsoft.ApplicationInsights.Channel;
using Microsoft.ApplicationInsights.DataContracts;
using Microsoft.ApplicationInsights.Extensibility;
using System.Text.RegularExpressions;
namespace WebApplication
{
public class RemoveHttpUrlPasswordsTelemetry : ITelemetryProcessor
{
private static readonly Regex removePasswordRegex =
new Regex(@"http(s)?:\/\/.+:(?<password>.+)@", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private readonly ITelemetryProcessor next;
public RemoveHttpUrlPasswordsTelemetry(ITelemetryProcessor next)
{
this.next = next;
}
public void Process(ITelemetry item)
{
var request = item as DependencyTelemetry;
if (request != null && request.Type == "Http")
{
#pragma warning disable CS0618 // Type or member is obsolete
request.CommandName = RemovePasswordFromUrl(request.CommandName);
#pragma warning restore CS0618 // Type or member is obsolete
request.Data = RemovePasswordFromUrl(request.Data);
}
next.Process(item);
}
private static string RemovePasswordFromUrl(string url)
{
var match = removePasswordRegex.Match(url).Groups["password"];
if (match.Success)
{
url = url.Replace(match.Value, "REDACTED");
}
return url;
}
}
}
Next, use the RemoveHttpUrlPasswordsTelemetry class with Application Insights. There’s ASP.NET and ASP.NET Core examples at https://docs.microsoft.com/en-us/azure/azure-monitor/app/api-filtering-sampling#filtering-itelemetryprocessor.
This can help raise your security by not storing passwords in logs!
