Skip to content

obs: Implement configurable IP masking for log privacy #222

Open
#276
Open
obs: Implement configurable IP masking for log privacy#222
#276
Assignees
nanaabdul1172
Labels
observabilitysecuritySecurity related issues
@Xhristin3

Description

@Xhristin3
Xhristin3
opened on Jun 15, 2026

Problem Statement

The request logger (api/src/middleware/request-logger.middleware.ts) and audit interceptor (api/src/audit/audit.interceptor.ts) log full IP addresses. Under GDPR and similar regulations, IP addresses are personally identifiable information and should be masked by default in production.

Evidence

// request-logger.middleware.ts
const ip = (req.headers["x-forwarded-for"] as string | undefined)?.split(",")[0]?.trim() ?? req.ip ?? null

// audit.interceptor.ts
const ip = (req.headers["x-forwarded-for"] as string) ?? req.ip ?? ""

Impact

Full IP addresses stored in logs and audit records. Potential GDPR compliance issue. No configurable anonymization.

Proposed Solution

Add LOG_IP_MASKING env var (default: "last-octet"). Mask the last octet of IPv4 addresses and the last 64 bits of IPv6 addresses before logging or storing.

Acceptance Criteria

  • IP masking enabled by default in production
  • Masked: 192.168.1.42192.168.1.0
  • Configurable masking level (none, last-octet, full-hash)
  • Audit logs store masked IPs

File Map

  • api/src/middleware/request-logger.middleware.ts — mask IP
  • api/src/audit/audit.interceptor.ts — mask IP
  • api/src/config/env.ts — add LOG_IP_MASKING

Labels: observability, security
Priority: Low | Difficulty: Beginner | Estimated Effort: 1h

Labels: observability,security
Priority: Low | Difficulty: Beginner | Estimated Effort: 1h
Backlog ID: REPO-039

Metadata

Metadata

Assignees

Labels

observabilitysecuritySecurity related issues

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions