| outline |
|
||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| title | SECURITY_SENSITIVE Annotation | ||||||||||||||||||||||||||||
| titleTemplate | NpgsqlRest | ||||||||||||||||||||||||||||
| description | Mark PostgreSQL REST API endpoints as security-sensitive. Obfuscate passwords and sensitive data in logs. | ||||||||||||||||||||||||||||
| head |
|
::: info Also known as
sensitive, security (with or without @ prefix)
:::
Mark endpoint as security-sensitive to obfuscate parameter values in logs.
@sensitive
create function change_password(_old_password text, _new_password text)
returns boolean
language sql
begin atomic;
...;
end;
comment on function change_password(text, text) is
'HTTP POST
@authorize
@sensitive';Equivalent as a SQL file endpoint (sql/change-password.sql):
/*
HTTP POST
@authorize
@sensitive
@param $1 old_password
@param $2 new_password
*/
update users
set password_hash = crypt($2, gen_salt('bf'))
where id = current_user_id()
and password_hash = crypt($1, password_hash)
returning true;create function authenticate(_username text, _password text)
returns json
language sql
begin atomic;
...;
end;
comment on function authenticate(text, text) is
'HTTP POST
@login
@sensitive';create function process_payment(_card_number text, _cvv text, _amount numeric)
returns json
language sql
begin atomic;
...;
end;
comment on function process_payment(text, text, numeric) is
'HTTP POST
@authorize
@security_sensitive';- Parameter values are replaced with
***in logs - Helps prevent sensitive data from appearing in log files
- Applies to all parameters of the endpoint
- Logging Guide — command logging and parameter obfuscation
- Logging configuration - Configure logging output
- Comment Annotations Guide - How annotations work
- Configuration Guide - How configuration works