dotnet · BillWagner · Dec 2, 2024 · Nov 28, 2024 · Nov 28, 2024
@@ -5,9 +5,9 @@ ms.date: 11/5/2024
 ai-usage: ai-assisted
 ---
 
-# URI query redaction in HttpClient EventSource events
+# URI query and fragment redaction in HttpClient EventSource events
 
-In .NET 9, the default behavior of <xref:System.Diagnostics.Tracing.EventSource> events emitted by <xref:System.Net.Http.HttpClient> and <xref:System.Net.Http.SocketsHttpHandler> (`EventSource` name: `System.Net.Http`) has been modified to scrub query strings. This change enhances privacy by preventing the logging of potentially sensitive information contained in query strings. If necessary, you can override this behavior.
+In .NET 9, the default behavior of <xref:System.Diagnostics.Tracing.EventSource> events emitted by <xref:System.Net.Http.HttpClient> and <xref:System.Net.Http.SocketsHttpHandler> (`EventSource` name: `System.Net.Http`) has been modified to scrub the query and the fragment part of the Uri. This change enhances privacy by preventing the logging of potentially sensitive information contained in query strings while keeping the performance costs of the redaction minimal. If necessary, you can override this behavior.
 
 ## Version introduced
 
@@ -19,15 +19,15 @@ Previously, events emitted by `HttpClient` and `SocketsHttpHandler` included que
 
 ## New behavior
 
-With the change in [dotnet/runtime#104741](https://github.com/dotnet/runtime/pull/104741), query strings are replaced by a `*` character in `HttpClient` and `SocketsHttpHandler` events, by default. This change affects specific events and parameters such as `pathAndQuery` in `RequestStart` and `redirectUri` in `Redirect`.
+With the change in [dotnet/runtime#104741](https://github.com/dotnet/runtime/pull/104741), the query and the fragment part by a `*` character in `HttpClient` and `SocketsHttpHandler` events, by default. This change affects specific events and parameters such as `pathAndQuery` in `RequestStart` and `redirectUri` in `Redirect`.
 
 ## Type of breaking change
 
 This change is a [behavioral change](../../categories.md#behavioral-change).
 
 ## Reason for change
 
-The primary reason for this change was to enhance privacy by reducing the risk of sensitive information being logged inadvertently. Query strings often contain sensitive data, and redacting them from logs by default helps protect this information.
+The primary reason for this change was to enhance privacy by reducing the risk of sensitive information being logged inadvertently. Query strings often contain sensitive data, and redacting them from logs by default helps protect this information. To keep the implementation simple and efficient, the fragment part is also being scrubbed together with the query.
 
 ## Recommended action
 

@@ -5,9 +5,9 @@ ms.date: 11/5/2024
 ai-usage: ai-assisted
 ---
 
-# URI query redaction in IHttpClientFactory logs
+# URI query and fragment redaction in IHttpClientFactory logs
 
-In .NET 9, the default implementation of <xref:System.Net.Http.IHttpClientFactory> has been modified to scrub query strings when logging URI information. This change enhances privacy by preventing the logging of potentially sensitive information contained in query strings. For scenarios where logging query strings is necessary and deemed safe, you can override this behavior.
+In .NET 9, the default implementation of <xref:System.Net.Http.IHttpClientFactory> has been modified to scrub query strings when logging URI information. This change enhances privacy by preventing the logging of potentially sensitive information contained in query strings while keeping the performance costs of the redaction minimal. For scenarios where logging query strings is necessary and deemed safe, you can override this behavior.
 
 ## Version introduced
 
@@ -19,15 +19,15 @@ Previously, the default implementation of `IHttpClientFactory` logging included
 
 ## New behavior
 
-The messages passed to <xref:Microsoft.Extensions.Logging.ILogger> now have query strings replaced by a `*` character.
+The messages passed to <xref:Microsoft.Extensions.Logging.ILogger> now have the query and the fragment part replaced by a `*` character.
 
 ## Type of breaking change
 
 This change is a [behavioral change](../../categories.md#behavioral-change).
 
 ## Reason for change
 
-The primary reason for this change is to enhance privacy by reducing the risk of sensitive information being logged inadvertently. Query strings often contain sensitive data and excluding them from logs by default helps protect this information.
+The primary reason for this change is to enhance privacy by reducing the risk of sensitive information being logged inadvertently. Query strings often contain sensitive data and excluding them from logs by default helps protect this information. The fragment part is being scrubbed to keep the implementation simple and efficient.
 
 ## Recommended action