> ## Documentation Index
> Fetch the complete documentation index at: https://docs.apitally.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Masking and filtering

> Mask sensitive data and exclude requests from logging with the Apitally SDK for Python.

When request logging is enabled, the Apitally SDK captures details about each request and response handled by your application. To protect sensitive data and reduce noise, the SDK provides mechanisms for masking data and filtering out requests you don't want to log.

## Default masking and exclusion

The SDK automatically masks common sensitive query parameters, headers, and request/response body fields based on built-in patterns. For example, fields named `password`, `token`, `secret`, or headers like `Authorization` are masked by default.

To reduce noise, the SDK also automatically excludes common static assets and health check endpoints, such as `/robots.txt` or `/healthz`.

See the [data privacy](/data-privacy#data-masking) page for complete lists of default masking and exclusion patterns.

## Mask sensitive data

You can extend the default masking rules by providing additional regular expressions via the `mask_query_params`, `mask_headers`, and `mask_body_fields` parameters. Patterns are case-insensitive and match anywhere within the name. Use `^` and `$` anchors for exact matches.

For more control over request and response body masking, you can provide callback functions via the `mask_request_body_callback` and `mask_response_body_callback` parameters. The functions receive the captured request and response data as arguments (see [callback arguments](#callback-arguments) below) and should return the masked body as `bytes`, or `None` to mask the entire body.

<CodeGroup>
  ```python FastAPI example {13-19} theme={null}
  from fastapi import FastAPI
  from apitally.fastapi import ApitallyMiddleware

  app = FastAPI()
  app.add_middleware(
      ApitallyMiddleware,
      client_id="your-client-id",
      env="dev",
      enable_request_logging=True,
      log_request_headers=True,
      log_request_body=True,
      log_response_body=True,
      # Mask specific query parameters, headers and body fields
      mask_query_params=[r"^card_number$", r"^account_id$"],
      mask_headers=[r"^X-Custom-Key$", r"^X-Internal-"],
      mask_body_fields=[r"^credit_card$", r"social_security"],
      # Mask request and response body using custom logic (see examples below)
      mask_request_body_callback=mask_request_body,
      mask_response_body_callback=mask_response_body,
  )
  ```

  ```python Django example {8-14} theme={null}
  APITALLY_MIDDLEWARE = {
      "client_id": "your-client-id",
      "env": "dev",
      "enable_request_logging": True,
      "log_request_headers": True,
      "log_request_body": True,
      "log_response_body": True,
      # Mask specific query parameters, headers and body fields
      "mask_query_params": [r"^card_number$", r"^account_id$"],
      "mask_headers": [r"^X-Custom-Key$", r"^X-Internal-"],
      "mask_body_fields": [r"^credit_card$", r"social_security"],
      # Mask request and response body using custom logic (see examples below)
      "mask_request_body_callback": mask_request_body,
      "mask_response_body_callback": mask_response_body,
  }
  ```

  ```python Flask example {13-19} theme={null}
  from flask import Flask
  from apitally.flask import ApitallyMiddleware

  app = Flask(__name__)
  app.wsgi_app = ApitallyMiddleware(
      app,
      client_id="your-client-id",
      env="dev",
      enable_request_logging=True,
      log_request_headers=True,
      log_request_body=True,
      log_response_body=True,
      # Mask specific query parameters, headers and body fields
      mask_query_params=[r"^card_number$", r"^account_id$"],
      mask_headers=[r"^X-Custom-Key$", r"^X-Internal-"],
      mask_body_fields=[r"^credit_card$", r"social_security"],
      # Mask request and response body using custom logic (see examples below)
      mask_request_body_callback=mask_request_body,
      mask_response_body_callback=mask_response_body,
  )
  ```
</CodeGroup>

```python Callback function examples theme={null}
import json

def mask_request_body(request: dict) -> bytes | None:
    # Mask entire request body for admin endpoints
    if request["path"] and request["path"].startswith("/admin/"):
        return None
    # Otherwise, return the original request body
    return request["body"]

def mask_response_body(request: dict, response: dict) -> bytes | None:
    # Mask entire response body for admin endpoints
    if request["path"] and request["path"].startswith("/admin/"):
        return None
    # Mask specific fields in user profile responses
    if request["path"] and request["path"].startswith("/users/") and response["body"]:
        try:
            data = json.loads(response["body"])
            if isinstance(data, dict):
                if "email" in data:
                    data["email"] = "******"
                if "phone" in data:
                    data["phone"] = "******"
                return json.dumps(data).encode()
        except (json.JSONDecodeError, UnicodeDecodeError):
            pass
    # Otherwise, return the original response body
    return response["body"]
```

<Note>
  Callbacks are applied before pattern-based field masking. The returned body is still masked using the default and custom `mask_body_fields` patterns.
</Note>

## Exclude requests

You can exclude requests from logging using path patterns (regular expressions) via the `exclude_paths` parameter. Like the masking patterns, these are case-insensitive and match anywhere within the request path. Use `^` and `$` anchors for exact matches.

Alternatively, you can provide a callback function with custom exclusion logic via the `exclude_callback` parameter. The function receives the captured request and response data as arguments (see [callback arguments](#callback-arguments) below) and should return `True` to exclude the request from logging, or `False` to include it.

<CodeGroup>
  ```python FastAPI example {10-13} theme={null}
  from fastapi import FastAPI
  from apitally.fastapi import ApitallyMiddleware

  app = FastAPI()
  app.add_middleware(
      ApitallyMiddleware,
      client_id="your-client-id",
      env="dev",
      enable_request_logging=True,
      # Exclude paths matching certain patterns
      exclude_paths=[r"/admin/", r"/internal/"],
      # Exclude requests using custom logic (see example below)
      exclude_callback=exclude_request,
  )
  ```

  ```python Django example {5-8} theme={null}
  APITALLY_MIDDLEWARE = {
      "client_id": "your-client-id",
      "env": "dev",
      "enable_request_logging": True,
      # Exclude paths matching certain patterns
      "exclude_paths": [r"/admin/", r"/internal/"],
      # Exclude requests using custom logic (see example below)
      "exclude_callback": exclude_request,
  }
  ```

  ```python Flask example {10-13} theme={null}
  from flask import Flask
  from apitally.flask import ApitallyMiddleware

  app = Flask(__name__)
  app.wsgi_app = ApitallyMiddleware(
      app,
      client_id="your-client-id",
      env="dev",
      enable_request_logging=True,
      # Exclude paths matching certain patterns
      exclude_paths=[r"/admin/", r"/internal/"],
      # Exclude requests using custom logic (see example below)
      exclude_callback=exclude_request,
  )
  ```
</CodeGroup>

```python Callback function example theme={null}
def exclude_request(request: dict, response: dict) -> bool:
    # Exclude requests from a specific consumer
    if request["consumer"] == "internal-service":
        return True
    # Exclude successful requests (only log failures)
    if response["status_code"] < 400:
        return True
    return False
```

<Note>
  Excluded requests won't be logged, but are still counted in metrics. To exclude endpoints from metrics, you can mark them as excluded in the [dashboard](/api-metrics/traffic#exclude-endpoints).
</Note>

## Callback arguments

The `request` dict passed to callback functions has the following keys:

| Key         | Description                                               | Type                    |
| :---------- | :-------------------------------------------------------- | :---------------------- |
| `timestamp` | Unix timestamp of the request.                            | `float`                 |
| `method`    | HTTP method of the request.                               | `str`                   |
| `path`      | Path of the matched endpoint, if applicable.              | `str \| None`           |
| `url`       | Full URL of the request.                                  | `str`                   |
| `headers`   | List of key-value pairs representing the request headers. | `list[tuple[str, str]]` |
| `size`      | Size of the request body in bytes.                        | `int \| None`           |
| `consumer`  | Identifier of the consumer making the request.            | `str \| None`           |
| `body`      | Raw request body.                                         | `bytes \| None`         |

The `response` dict passed to `mask_response_body_callback` and `exclude_callback` has the following keys:

| Key             | Description                                                | Type                    |
| :-------------- | :--------------------------------------------------------- | :---------------------- |
| `status_code`   | HTTP status code of the response.                          | `int`                   |
| `response_time` | Time taken to respond to the request in seconds.           | `float`                 |
| `headers`       | List of key-value pairs representing the response headers. | `list[tuple[str, str]]` |
| `size`          | Size of the response body in bytes.                        | `int \| None`           |
| `body`          | Raw response body.                                         | `bytes \| None`         |