Data Masking

Data masking automatically protects sensitive information in your logs by replacing sensitive values with masked characters.

How Data Masking Works

ByteHide Logger automatically scans log messages and context objects for sensitive property names and masks their values:

// Original log
Log.info('User login', {
    context: { username: 'john.doe', password: 'secret123' }
});

// Output with masking
// [Info] User login { username: "john.doe", password: "***" }

Configuration

Configure data masking during logger initialization:

Log.configure({
    maskSensitiveData: ['password', 'token', 'secret', 'key']
    // Default: ['password', 'token']
});

Default Masked Properties

ByteHide Logger masks these properties by default:

Property Name	Example Values
`password`	`password`, `PASSWORD`, `user_password`
`token`	`token`, `ACCESS_TOKEN`, `auth_token`

Custom Masking Patterns

Log.configure({
    maskSensitiveData: [
        // Default patterns
        'password', 'token',
        
        // Custom patterns
        'secret', 'key', 'credential',
        'connectionstring', 'api_key', 'bearer_token',
        'ssn', 'credit_card', 'phone', 'email'
    ]
});

Masking Examples

Simple Object Masking

Log.info('User authentication', {
    context: {
        username: 'john.doe',
        password: 'mySecretPassword',  // Will be masked
        email: 'john@example.com'
    }
});

// Output: { username: "john.doe", password: "***", email: "john@example.com" }

Complex Object Masking

const userProfile = {
    id: 123,
    username: 'john.doe',
    credentials: {
        password: 'secret123',      // Masked
        apiKey: 'abc123xyz',        // Masked if configured
        lastLogin: new Date()
    }
};

Log.error('Profile update failed', {
    context: userProfile
}, error);

Environment-Specific Configuration

// Development - minimal masking
if (process.env.NODE_ENV === 'development') {
    Log.configure({
        maskSensitiveData: ['password', 'token']
    });
}

// Production - comprehensive masking
if (process.env.NODE_ENV === 'production') {
    Log.configure({
        maskSensitiveData: [
            'password', 'token', 'secret', 'key',
            'api_key', 'auth_token', 'bearer_token',
            'connectionstring', 'ssn', 'credit_card'
        ]
    });
}

Best Practices

Data Masking Best Practices

Start with defaults: Begin with ['password', 'token'] and add as needed
Test thoroughly: Verify masking works in all environments
Consider compliance: Include patterns required by GDPR, HIPAA, PCI-DSS
Review regularly: Audit your masking patterns periodically

Next Steps

User Identification - Associate logs with specific users
Global Metadata - Add consistent context to all logs
Basic Logging - Learn fundamental logging methods