Built-in redaction of sensitive data in logs and debug output
qibb includes a built-in redaction mechanism to ensure that sensitive data is not exposed in logs or debugging outputs. This applies automatically across all flow apps and does not require additional configuration.
Overview
When data is processed in a flow, qibb inspects the payload before it is written to logs or displayed in the Flow Editor. If sensitive information is detected, the corresponding values are automatically masked with *******.
Scope of redaction
Redaction is consistently applied in the following areas:
Debug output in the Flow Editor UI
Backend log output (before logs are written and collected by qibb’s monitoring tools)
This behavior is part of qibb’s logging and monitoring system, ensuring that sensitive data is not exposed in logs or external monitoring tools
Redaction of sensitive fields
Any JSON object or JSON-formatted string is scanned for sensitive keys. If a match is found, the value is masked. Redaction is applied recursively, meaning sensitive fields are also masked in nested objects.
The detection is based on a predefined list of keys. The following table lists all keys that are currently detected by the redaction logic:
Key | Category | Description |
|---|---|---|
| Credentials | Generic password field |
| Credentials | Alternate password naming (Unix/Linux style) |
| Credentials | Abbreviated password |
| Credentials | Common shorthand for password |
| Credentials | Generic secret value |
| Authentication | Generic authentication token |
| Authentication | API key (plain format) |
| Authentication | API key (kebab-case, often HTTP headers) |
| Authentication | API key (dot notation) |
| Authentication | API key (snake_case) |
| Session | Session identifier |
| Session | Session identifier (kebab-case) |
| Session | Session identifier (dot notation) |
| Session | Session identifier (snake_case) |
| Authentication | JWT ID token (identity) |
| Authentication | JWT access token |
| Authentication | JWT refresh token |
| HTTP Headers | Proxy authorization header |
| HTTP Headers | Authorization header (e.g. Bearer token) |
| HTTP Headers | Custom API key header |
| HTTP Headers | Set-Cookie response header |
| HTTP Headers | Cookie request header |
| Infrastructure | HashiCorp Vault token |
| Cloud (AWS) | AWS temporary security token |
| Cloud (AWS) | AWS access key |
| Cloud (AWS) | AWS access key ID |
| Cloud (AWS) | AWS access key (snake_case) |
| Cloud (AWS) | AWS access key ID (extended snake_case) |
| Cloud (AWS) | AWS secret key |
| Cloud (AWS) | AWS secret access key |
| Cloud (AWS) | AWS secret key (snake_case) |
| Cloud (AWS) | AWS secret key (extended snake_case) |
Credit card detection
In addition to key-based detection, qibb automatically masks values that match common credit card number formats.
This ensures protection even if sensitive data appears under unexpected field names.
Redaction of secrets from Secret Manager
In addition, a dynamic list of values for redaction is created when using qibb’s Secret Manager. All secrets stored via qibb’s Secret Manager are automatically protected by the same redaction logic, masking the secret values from both debug and log output.
Secret values are replaced with ******* (for string values longer than two characters)
This guarantees that secrets remain protected even when accessed programmatically in flows.
For more details about how to use secret manager, see Managing secrets in your space and accessing them from your flows.
Scope of Space Secrets
Note that the dynamic list of values for redaction is limited by space and the apps inside. The secret manager node must be set up in the respective apps to ensure regular syncing.
Summary
qibb automatically protects sensitive data by masking it before it is logged or displayed. This includes:
Known sensitive fields in JSON data
Credit card number patterns
Secrets managed via the Secret Manager on space level
This built-in mechanism helps prevent accidental data exposure and supports secure development and operations without additional effort.