Configuration options

The following parameters apply when configuring the Apitally client in your application.yml file.

ParameterDescriptionType
client-idClient ID for your application. Find it on the Setup instructions page for your app.string
envName of the environment, e.g. prod or dev. The environment will be automatically created if it doesn’t exist.string
request-loggingConfiguration for request logging. See table below.object

Request logging config

The following are the properties of the request-logging configuration object.

ParameterDescriptionTypeDefault
enabledWhether request logging is enabled.booleanfalse
query-params-includedWhether to include query parameters in the logs. If disabled, these will be stripped from the request URLs logged.booleantrue
request-headers-includedWhether to include request headers in the logs. Default masking for common sensitive headers (e.g. Authorization) applies.booleanfalse
request-body-includedWhether to include the request body in the logs. Only JSON and text are supported, up to 50 KB.booleanfalse
response-headers-includedWhether to include response headers in the logs.booleantrue
response-body-includedWhether to include the response body in the logs. Only JSON and text are supported, up to 50 KB.booleanfalse
query-param-mask-patternsList of regular expressions for matching query parameters to mask. These are in addition to the default masking patterns.List<String>[]
header-mask-patternsList of regular expressions for matching headers to mask. These are in addition to the default masking patterns.List<String>[]
body-field-mask-patternsList of regular expressions for matching request/response body fields to mask. These are in addition to the default masking patterns.List<String>[]
path-exclude-patternsList of regular expressions for matching paths to exclude from logging.List<String>[]
callbacks-classFully qualified name of a class implementing RequestLoggingCallbacks for custom masking and exclusion logic.string-

Request object

Below are the properties of the Request objects that are passed to the callback methods.

PropertyDescriptionType
timestampUnix timestamp of the request.double
methodHTTP method of the request.string
pathPath of the request.string
urlFull URL of the request.string
headersArray of key-value pairs representing the request headers.Header[]
sizeSize of the request body in bytes.long
consumerIdentifier of the consumer making the request.string
bodyRaw request body as bytes.byte[]

Response object

Below are the properties of the Response objects that are passed to some of the callback methods.

PropertyDescriptionType
statusCodeHTTP status code of the response.int
responseTimeTime taken to respond to the request in seconds.double
headersArray of key-value pairs representing the response headers.Header[]
sizeSize of the response body in bytes.long
bodyRaw response body as bytes.byte[]

Default masking

The below regular expressions are used to mask sensitive query parameters, headers and request/response body fields.

// Query parameters
List<String> MASK_QUERY_PARAM_PATTERNS = Arrays.asList(
    "auth",
    "api-?key",
    "secret",
    "token",
    "password",
    "pwd"
);

// Headers
List<String> MASK_HEADER_PATTERNS = Arrays.asList(
    "auth",
    "api-?key",
    "secret",
    "token",
    "cookie"
);

// Request/response body fields
List<String> MASK_BODY_FIELD_PATTERNS = Arrays.asList(
    "password",
    "pwd",
    "token",
    "secret",
    "auth",
    "card[-_ ]?number",
    "ccv",
    "ssn"
);

Default exclusions

The below regular expressions are used to exclude common health check endpoints from logging. They are applied to the request path.

// Common paths of health check endpoints
List<String> EXCLUDE_PATH_PATTERNS = Arrays.asList(
    "/_?healthz?$",
    "/_?health[_-]?checks?$",
    "/_?heart[_-]?beats?$",
    "/ping$",
    "/ready$",
    "/live$"
);