Middleware

The following parameters apply when adding the Apitally middleware/plugin to your application.

ParameterDescriptionType
clientIdClient ID for your application. Find it on the Setup instructions page for your app.string
envName of the environment, e.g. prod or dev. The environment will be automatically created in Apitally if it doesn’t exist. Defaults to dev.string
requestLoggingConfigConfiguration for request logging. See table below.object
appVersionThe current version of your application, e.g. 1.0.0.string
loggerA custom logger instance. If not provided, a default logger is created automatically.object

Request logging config

The following are the keys of the requestLoggingConfig object.

ParameterDescriptionTypeDefault
enabledWhether request logging is enabled.booleanfalse
logQueryParamsWhether to include query parameters in the logs. If disabled these will be stripped from the request URLs logged.booleantrue
logRequestHeadersWhether to include request headers in the logs. Default masking for common sensitive headers (e.g. Authorization) applies.booleanfalse
logRequestBodyWhether to include the request body in the logs. Only JSON and text are supported, up to 50 KB.booleanfalse
logResponseHeadersWhether to include response headers in the logs.booleantrue
logResponseBodyWhether to include the response body in the logs. Only JSON and text are supported, up to 50 KB.booleanfalse
maskQueryParamsArray of regular expressions for matching query parameter names that should be masked.RegExp[][]
maskHeadersArray of regular expressions for matching header names that should be masked.RegExp[][]
maskRequestBodyCallbackCallback function for masking the request body. Takes one parameter request and returns the request body as Buffer or null.Function-
maskResponseBodyCallbackCallback function for masking the response body. Takes two parameters request and response and returns the response body as Buffer or null.Function-
excludePathsArray of regular expressions for matching paths to exclude from logging.RegExp[][]
excludeCallbackCallback function for excluding requests from logging. Takes two parameters request and response and returns a true, if the request should be excluded, or false otherwise.Function-

Request object

Below are the properties of the request objects that are passed to the user-provided callback functions.

PropertyDescriptionType
timestampUnix timestamp of the request.number
consumerIdentifier of the consumer making the request.string
methodHTTP method of the request.string
pathPath of the request.string
urlFull URL of the request.string
headersArray of key-value pairs representing the request headers.[string, string][]
sizeSize of the request body in bytes.number
bodyRaw request body as bytes.Buffer

Response object

Below are the properties of the response objects that are passed to some of the user-provided callback functions.

PropertyDescriptionType
statusCodeHTTP status code of the response.number
responseTimeTime taken to respond to the request in seconds.number
headersArray of key-value pairs representing the response headers.[string, string][]
sizeSize of the response body in bytes.number
bodyRaw response body as bytes.Buffer

Default masking

The below regular expressions are used to mask sensitive query parameters and headers.

// Query parameters
const MASK_QUERY_PARAM_PATTERNS = [
  /auth/i,
  /api-?key/i,
  /secret/i,
  /token/i,
  /password/i,
  /pwd/i,
];

// Headers
const MASK_HEADER_PATTERNS = [
  /auth/i,
  /api-?key/i,
  /secret/i,
  /token/i,
  /cookie/i,
];

Default exclusions

The below regular expressions are used to exclude common health check endpoints from logging. They are applied to the request path.

// Common paths of health check endpoints
const EXCLUDE_PATH_PATTERNS = [
  /\/_?healthz?$/,
  /\/_?health[_-]?checks?$/,
  /\/_?heart[_-]?beats?$/,
  /\/ping$/,
  /\/ready$/,
  /\/live$/,
];