Modern applications often handle sensitive information such as personally identifiable information (PII), passwords, API keys, and other confidential data. Data Masking is a crucial practice that helps protect these sensitive details from exposure, both within your logs and API responses. By detecting and obfuscating sensitive data, you can ensure privacy, maintain compliance with regulatory standards, and reduce the risk of data leaks.

Why Data Masking Matters

  1. Privacy Protection Obfuscating personal information like names, addresses, or payment details helps safeguard users from identity theft or targeted attacks.
  2. Regulatory Compliance Many data protection regulations (e.g., GDPR, HIPAA, PCI-DSS) require that sensitive data be handled securely. Masking ensures compliance without hindering normal business processes.
  3. Secure Logging and Monitoring Since masked data cannot reveal the actual sensitive values, it’s safe to include these details in logs, debug traces, or monitoring systems without risking accidental leaks.
  4. Reduced Exposure In the event of an unauthorized access or breach, masked data is significantly less useful to attackers, minimizing the potential harm.

Plugin Highlights

  • Automatic PII Detection The plugin can identify a variety of PII entities (e.g., emails, phone numbers) and replace them with sanitized placeholders.
  • Custom Rules Define your own patterns or keywords to mask, giving you fine-grained control over exactly which data gets obfuscated.
  • Flexible Application Apply masking rules to requests, responses, or both, depending on your security and auditing requirements.
  • Reversible Hashing Temporarily mask sensitive data during processing while preserving the ability to restore original values in the final response.
  • Logging-Friendly Ensures logs remain useful for debugging while preventing unauthorized disclosure of sensitive information.

Technical Overview

The Data Masking plugin implements sophisticated pattern matching and text processing to identify and mask sensitive information in both requests and responses.

Configuration Parameters

ParameterTypeDescriptionDefault
apply_allbooleanEnable all predefined entitiesfalse
similarity_thresholdfloatThreshold for fuzzy matching (0.0-1.0)0.8
max_edit_distanceintegerMaximum allowed character differences1
predefined_entitiesarrayList of predefined entities to enable[]
rulesarrayCustom masking rules[]
reversible_hashingobjectConfiguration for reversible hashing{enabled: false}

Predefined Entity Options

ParameterTypeDescriptionRequired
entitystringEntity type from predefined listYes
enabledbooleanEnable/disable this entityYes
mask_withstringCustom mask to applyNo

Custom Rule Options

ParameterTypeDescriptionRequired
typestring”regex” or “keyword”Yes
patternstringPattern to matchYes
mask_withstringMask to applyNo

Reversible Hashing Options

ParameterTypeDescriptionRequired
enabledbooleanEnable/disable reversible hashingYes
secretstringSecret key used for generating secure hash valuesYes (if enabled)

Core Components

  1. Pattern Detection Engine
  • Pre-compiled regex patterns
  • Keyword matching system
  • Fuzzy matching support
  • Pattern variant generation
  1. Content Processor
  • JSON data handling
  • Plain text processing
  • Streaming support
  • Character encoding handling
  1. Masking System
  • Configurable mask patterns
  • Context-aware masking
  • Format preservation
  • Custom mask rules
  • Reversible hashing capability

Reversible Hashing

The Data Masking plugin supports a powerful feature called Reversible Hashing that allows sensitive data to be temporarily masked during processing but restored in the final response.

How It Works

  1. Pre-Request Stage:
    • When enabled, instead of replacing sensitive data with mask placeholders, the plugin generates secure HMAC-SHA256 hashes of the sensitive values
    • These hashes are used as replacements in the processed data
    • The original values and their corresponding hashes are stored in a temporary memory cache
  2. Processing Stage:
    • All operations work with the hashed values, keeping sensitive data protected during processing
  3. Post-Response Stage:
    • Before returning the response, the plugin replaces all hash values with their original sensitive data
    • This ensures that the final output contains the original values, while keeping them protected during processing

Use Cases

  • API Proxying: Mask sensitive data while it passes through your API gateway, but deliver the original data to the end client
  • Logging & Analytics: Process and analyze data in a secure form, but maintain the ability to restore original values when needed
  • Temporary Protection: Provide an additional layer of security during multi-step processing without permanently altering the data

Security Considerations

  • The secret key used for hashing should be strong and kept secure
  • Hashed values are only stored in memory temporarily and are automatically cleared after processing
  • This feature should be used with caution, as it does ultimately reveal the original sensitive data in the final response

Implementation Details

Pattern Matching System

The plugin uses multiple matching strategies:
  1. Exact Pattern Matching
  • Regular expression based
  • Pre-compiled patterns
  • Optimized execution
  • Cache-friendly design
  1. Fuzzy Matching
  • Similarity threshold control
  • Edit distance calculation
  • Character substitution handling
  • Pattern variants support

Content Processing Pipeline

  1. Input Processing
  • Content type detection
  • Encoding validation
  • Size verification
  • Format parsing
  1. Pattern Application
  • Priority-based scanning
  • Multi-pattern matching
  • Context preservation
  • Performance optimization
  1. Masking Execution
  • Format-specific masking
  • Character preservation
  • Length maintenance
  • Context awareness

Performance Optimization

Pattern Compilation

  • Pre-compiled regex patterns
  • Pattern caching
  • Optimized matching order
  • Early termination

Content Processing

  • Streaming processing
  • Chunked analysis
  • Buffer management
  • Memory efficiency

Security Considerations

  1. Mask Selection
  • Use meaningful masks
  • Maintain data format
  • Consider data context
  • Regular security review
  1. Pattern Testing
  • Comprehensive test cases
  • Edge case validation
  • Performance testing
  • Security validation

Additional Topics

  • PII Entities: A breakdown of built-in entity types the plugin can detect.
  • Custom Rules: How to create and apply your own masking rules.
  • Data Masking Examples: Real-world scenarios and configuration examples to demonstrate the plugin’s capabilities.
Data masking is an essential layer of security in any system handling sensitive or regulated data. By implementing robust masking strategies through this plugin, you help protect your users and maintain a high standard of data governance.