Redact Dynatrace token in error logs by arminru · Pull Request #3484 · micrometer-metrics/micrometer (original) (raw)

I rebased this against 1.8.x, polished it a bit and merged.
Thank you very much for the contribution.

There is an important thing I would like to call out: this does not fix the issue but hides it in some places but not everywhere. Since the HTTP clients have the freedom of logging out the request url, this change set will not guarantee that it will not be logged out since even if Micrometer won't, the underlying HTTP clients can (HttpURLConnection, okhttp, etc.), you have zero control over it.

Because of this, I would handle this as a critical security vulnerability in the Dynatrace API and add a possibility to send secrets in HTTP headers (there is at least one for this exact purpose). Once this is done, clients (like Micrometer) can migrate from query params to http headers. That would make the purpose of the field clear and it would eliminate issues around logging out the url.