The Data Masking plugin in TrustGate enables automatic redaction of sensitive information in incoming requests. This guide walks you through configuring a forwarding rule with data masking enabled to help protect fields such as passwords, API keys, and personal identifiers.

Prerequisites

  • A TrustGate instance is running and accessible.
  • You have a valid Gateway and Service configured.
  • You have an API key with permission to create rules and plugins.

Overview

The Data Masking plugin identifies sensitive data using either regex patterns or keyword matches, and replaces them with a configurable masking string. It supports:

  • Regex-based pattern matching
  • Fuzzy keyword detection
  • Case sensitivity configuration
  • Optional preservation of string length

Use Case

You want to prevent downstream services from receiving user secrets such as:

  • API keys (e.g., secret_key)
  • Passwords in query parameters or body
  • Internal identifiers like INT-123456

Step-by-Step: Add a Data Masking Rule

1. Define the Rule Payload

Use the following JSON to create a forwarding rule with the data_masking plugin enabled:

{
  "path": "/mask",
  "service_id": "{{service_id}}",
  "methods": ["POST"],
  "strip_path": true,
  "plugin_chain": [
    {
      "name": "data_masking",
      "enabled": true,
      "stage": "pre_request",
      "parallel": true,
      "priority": 1,
      "settings": {
        "similarity_threshold": 0.8,
        "apply_all": true,
        "rules": [
          {
            "pattern": "secret_key",
            "type": "keyword",
            "mask_with": "[MASKED_KEY]",
            "preserve_len": false,
            "fuzzy_match": true,
            "case_sensitive": false
          },
          {
            "pattern": "(?i)password=\\S+",
            "type": "regex",
            "mask_with": "[MASKED_PASSWORD]",
            "preserve_len": false
          },
          {
            "pattern": "INT-\\d{6}",
            "type": "regex",
            "mask_with": "[MASKED_ID]",
            "preserve_len": true
          }
        ]
      }
    }
  ],
  "active": true
}