mask-fields
description: Mask API request and response data sent to Speakeasy
sidebar_position: 3
Mask Sensitive Fields
Speakeasy can mask sensitive data in the query string parameters, headers, cookies and request/response bodies captured by the SDK. This is useful for maintaining sensitive data isolation, and retaining control over the data that is captured.
Mask By Endpoint
By not assigning the middleware to their router, you will cause the SDK to not capture any requests to that router. But if you would like to be more selective, you can mask certain sensitive data using our middleware controller allowing you to mask fields as needed in different handlers:
- Go
- Java
- Typescript
- Rust
func MyHandler(w http.ResponseWriter, r *http.Request) {
ctrl := speakeasy.MiddlewareController(req)
ctrl.Masking(speakeasy.WithRequestHeaderMask("Authorization")) // Mask the Authorization header in the request
// the rest of your handlers code
}
The Masking function takes a number of different options to mask sensitive data in the request:
speakeasy.WithQueryStringMask- WithQueryStringMask will mask the specified query strings with an optional mask string.speakeasy.WithRequestHeaderMask- WithRequestHeaderMask will mask the specified request headers with an optional mask string.speakeasy.WithResponseHeaderMask- WithResponseHeaderMask will mask the specified response headers with an optional mask string.speakeasy.WithRequestCookieMask- WithRequestCookieMask will mask the specified request cookies with an optional mask string.speakeasy.WithResponseCookieMask- WithResponseCookieMask will mask the specified response cookies with an optional mask string.speakeasy.WithRequestFieldMaskString- WithRequestFieldMaskString will mask the specified request body fields with an optional mask. Supports string fields only. Matches using regex.speakeasy.WithRequestFieldMaskNumber- WithRequestFieldMaskNumber will mask the specified request body fields with an optional mask. Supports number fields only. Matches using regex.speakeasy.WithResponseFieldMaskString- WithResponseFieldMaskString will mask the specified response body fields with an optional mask. Supports string fields only. Matches using regex.speakeasy.WithResponseFieldMaskNumber- WithResponseFieldMaskNumber will mask the specified response body fields with an optional mask. Supports number fields only. Matches using regex.
Coming Soon!
import { Masking } from '@speakeasy-api/speakeasy-typescript-sdk';
const app = express();
app.use(speakeasy.expressMiddleware());
app.all("/", (req, res) => {
ctrl := req.controller;
ctrl.setMaskingOpts(Masking.withRequestHeaderMask("authorization")) // Mask the authorization header in the request
// the rest of your handlers code
}
The Masking function takes a number of different options to mask sensitive data in the request:
Masking.withQueryStringMask- withQueryStringMask will mask the specified query strings with an optional mask string.Masking.withRequestHeaderMask- withRequestHeaderMask will mask the specified request headers with an optional mask string.Masking.withResponseHeaderMask- withResponseHeaderMask will mask the specified response headers with an optional mask string.Masking.withRequestCookieMask- withRequestCookieMask will mask the specified request cookies with an optional mask string.Masking.withResponseCookieMask- withResponseCookieMask will mask the specified response cookies with an optional mask string.Masking.withRequestFieldMaskString- withRequestFieldMaskString will mask the specified request body fields with an optional mask. Supports string fields only. Matches using regex.Masking.withRequestFieldMaskNumber- withRequestFieldMaskNumber will mask the specified request body fields with an optional mask. Supports number fields only. Matches using regex.Masking.withResponseFieldMaskString- withResponseFieldMaskString will mask the specified response body fields with an optional mask. Supports string fields only. Matches using regex.Masking.withResponseFieldMaskNumber- withResponseFieldMaskNumber will mask the specified response body fields with an optional mask. Supports number fields only. Matches using regex.
But if you would like to be more selective you can mask certain sensitive data using our middleware controller allowing you to mask fields as needed in different handlers:
use speakeasy_rust_sdk::{Masking, MiddlewareController, SpeakeasySdk, StringMaskingOption};
#[post("/index")]
async fn index(controller: ReqData<Arc<RwLock<MiddlewareController>>>) -> HttpResponse {
// create a specific masking for this request/response
let mut masking = Masking::default();
masking.with_request_field_mask_string("password", StringMaskingOption::default());
// set new masking for this request/response
controller.write().unwrap().set_masking(masking);
// rest of the handlers code
}
The Masking struct can be set with a number of different options to mask sensitive data in the request:
masking.with_query_string_mask- with_query_string_mask will mask the specified query strings with an optional mask string.masking.with_request_header_mask- with_request_header_mask will mask the specified request headers with an optional mask string.masking.with_response_header_mask- with_response_header_mask will mask the specified response headers with an optional mask string.masking.with_request_cookie_mask- with_request_cookie_mask will mask the specified request cookies with an optional mask string.masking.with_response_cookie_mask- with_response_cookie_mask will mask the specified response cookies with an optional mask string.masking.with_request_field_mask_string- with_request_field_mask_string will mask the specified request body fields with an optional mask. Supports string fields only. Matches using regex.masking.with_request_field_mask_number- with_request_field_mask_number will mask the specified request body fields with an optional mask. Supports number fields only. Matches using regex.masking.with_response_field_mask_string- with_response_field_mask_string will mask the specified response body fields with an optional mask. Supports string fields only. Matches using regex.masking.with_response_field_mask_number- with_response_field_mask_number will mask the specified response body fields with an optional mask. Supports number fields only. Matches using regex.
For complete docs on masking see the docs.rs/speakeasy-sdk-rust
Masking Headers Globally
Masking can also be done more globally on all routes or a selection of routes by taking advantage of middleware. Here is an example:
- Go
- Java
- Typescript
- Rust
speakeasy.Configure(speakeasy.Config {
APIKey: "YOUR API KEY HERE", // retrieve from Speakeasy API dashboard.
ApiID: "YOUR API ID HERE", // this is an ID you provide that you would like to associate captured requests with.
VersionID: "YOUR VERSION ID HERE", // this is a Version you provide that you would like to associate captured requests with.
})
r := mux.NewRouter()
r.Use(speakeasy.Middleware)
r.Use(func (next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Mask the Authorization header in the request for all requests served by this middleware
ctrl := speakeasy.MiddlewareController(req)
ctrl.Masking(speakeasy.WithRequestHeaderMask("Authorization"))
})
})
Coming Soon!
import speakeasy, { Config, Masking } from "@speakeasy-api/speakeasy-typescript-sdk";
import express from "express";
const app = express();
// Configure the global speakeasy SDK instance
const cfg: Config = {
apiKey: "YOUR API KEY HERE", // retrieve from Speakeasy API dashboard.
apiID: "YOUR API ID HERE", // custom Api ID to associate captured requests with.
versionID: "YOUR VERSION ID HERE", // custom Version ID to associate captured requests
port: 3000, // The port number your express app is listening on (required to build full URLs on non-standard ports)
};
speakeasy.configure(cfg);
// Add the speakeasy middleware to your express app
app.use(speakeasy.expressMiddleware());
app.use((req: Request, res: Response, next: NextFunction) => {
// Mask the authorization header in the request for all requests served by this middleware
ctrl := req.controller;
ctrl.setMaskingOpts(Masking.withRequestHeaderMask("authorization"))
next();
});
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
let config = Config {
// retrieve from Speakeasy API dashboard.
api_key: "YOUR API KEY HERE".to_string(),
// enter a name that you'd like to associate captured requests with.
// This name will show up in the Speakeasy dashboard. e.g. "PetStore" might be a good ApiID for a Pet Store's API.
// No spaces allowed.
api_id: "YOUR API ID HERE".to_string(),
// enter a version that you would like to associate captured requests with.
// The combination of ApiID (name) and VersionID will uniquely identify your requests in the Speakeasy Dashboard.
// e.g. "v1.0.0". You can have multiple versions for the same ApiID (if running multiple versions of your API)
version_id: "YOUR VERSION ID HERE".to_string(),
};
// Create a new Speakeasy SDK instance
let mut sdk = SpeakeasySdk::try_new(config).expect("API key is valid");
// Configure masking for query
sdk.masking.with_query_string_mask("secret", "********");
sdk.masking
.with_query_string_mask("password", StringMaskingOption::default());
// Configure masking for request
sdk.masking
.with_request_field_mask_string("password", StringMaskingOption::default());
// Configure masking for response
sdk.masking
.with_response_field_mask_string("secret", StringMaskingOption::default());
// create middleware
let speakeasy_middleware = Middleware::new(sdk);
let (request_capture, response_capture) = speakeasy_middleware.into();
App::new()
.wrap(request_capture)
.wrap(response_capture)
...
})
.bind(("127.0.0.1", 35290))?
.run()
.await
}