Using sensitiveKeywords in the app.config

[gbowne-quickbase]

I wanted to beef up our security and obfuscate a few more items that are being logged with potentially sensitive information. I followed the instructions in the documentation at https://craftcms.com/docs/4.x/logging.html#sensitive-information but I still see those items with their .env values displayed in plaintext in the web logs.
Here's the top of my config/app.php file:

return [
    'components' => [
        'security' => [
            'sensitiveKeywords' => [
                'AWS_S3_ACCESS_KEY_ID',
                'AWS_S3_BASE_URL',

And here's a recent log line containing one of those:

Am I missing something?

[brandonkelly]

The reason that’s not working for you is because sensitiveKeywords is expected to be set to an array of lowercase, single-word keywords. Setting names are normalized as lowercased individual words (e.g. aws s3 base url) and then compared against those keywords.

I’ve just made the setting less strict, by having the keywords each normalized in the same way, which will fix this for you. (6e0881c)

In the meantime, you could do your own normalization, by replacing AWS_S3_BASE_URL with aws s3 base url. (You can just remove AWS_S3_ACCESS_KEY_ID because that’s already covered by key in the default list.)

[gbowne-quickbase]

Thanks for the quick reply and fix; that did the trick! Maybe a quick add to the docs would clear that up for future devs?

[brandonkelly]

Craft 4.5.14 is out now with that change. No docs change necessary now that it’s more gracious :)

[gbowne-quickbase]

@brandonkelly We've noticed that errors sent to /storage/logs/phperrors.log are not redacted. Is this something that can be enabled?

[brandonkelly]

Unfortunately no, those are fatal errors which Craft doesn’t have any control over.