Use the following configuration examples to quickly set up and customize the data_masking plugin. You’ll find scenarios that cover predefined entity masking, custom keyword and regex rules, fuzzy matching, and advanced combinations — all designed to help you protect sensitive data in both requests and responses.

Example 1: Basic Masking of Predefined Entities

This configuration masks credit card numbers and email addresses using built-in entity recognition.
{
  "name": "data_masking",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "settings": {
    "predefined_entities": [
      {
        "entity": "credit_card",
        "enabled": true
      },
      {
        "entity": "email",
        "enabled": true
      }
    ]
  }
}

Example 2: Custom Keyword and Regex Masking

This configuration defines custom masking rules for a specific keyword and a 6-digit PIN using regex.
{
  "name": "data_masking",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "settings": {
    "rules": [
      {
        "type": "keyword",
        "pattern": "internal-secret",
        "mask_with": "[MASKED_SECRET]"
      },
      {
        "type": "regex",
        "pattern": "\\b\\d{6}\\b",
        "mask_with": "[MASKED_PIN]"
      }
    ]
  }
}

Example 3: Combined Predefined Entities and Custom Rules

This example combines built-in entity masking with a custom regex pattern.
{
  "name": "data_masking",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "settings": {
    "predefined_entities": [
      {
        "entity": "ssn",
        "enabled": true
      }
    ],
    "rules": [
      {
        "type": "regex",
        "pattern": "custom-[A-Z]{3}\\d{4}",
        "mask_with": "[MASKED_CUSTOM]"
      }
    ]
  }
}

Example 4: Apply All Matching Rules

This configuration enables multiple rules and applies all that match instead of stopping at the first.
{
  "name": "data_masking",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "settings": {
    "apply_all": true,
    "rules": [
      {
        "type": "keyword",
        "pattern": "apikey",
        "mask_with": "[MASKED_KEY]"
      },
      {
        "type": "regex",
        "pattern": "INT-\\d{6}",
        "mask_with": "[MASKED_ID]"
      }
    ]
  }
}

Example 5: Fuzzy Matching with Similarity Threshold

This configuration uses fuzzy matching to catch slightly altered sensitive terms.
{
  "name": "data_masking",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "settings": {
    "similarity_threshold": 0.8,
    "max_edit_distance": 1,
    "rules": [
      {
        "type": "keyword",
        "pattern": "secret",
        "mask_with": "[MASKED_SECRET]"
      }
    ]
  }
}

Example 6: Reversible Hashing for API Proxying

This configuration demonstrates reversible hashing, which temporarily masks sensitive data during processing but restores the original values in the final response. This is particularly useful for API proxying scenarios where you want to protect sensitive data as it passes through your gateway but deliver the original data to the end client.
{
  "name": "data_masking",
  "enabled": true,
  "stage": "pre_request",
  "priority": 1,
  "settings": {
    "reversible_hashing": {
      "enabled": true,
      "secret": "your-strong-secret-key-here"
    },
    "predefined_entities": [
      {
        "entity": "credit_card",
        "enabled": true
      },
      {
        "entity": "ssn",
        "enabled": true
      }
    ],
    "rules": [
      {
        "type": "regex",
        "pattern": "api-key-[a-zA-Z0-9]{16}",
        "mask_with": "[MASKED_API_KEY]"
      }
    ]
  }
}
To complete the reversible hashing process, you need to add a second instance of the plugin in the post_response stage:
{
  "name": "data_masking",
  "enabled": true,
  "stage": "post_response",
  "priority": 1,
  "settings": {
    "reversible_hashing": {
      "enabled": true,
      "secret": "your-strong-secret-key-here"
    }
  }
}