Cookies logged to Azure App Service HTTP log

Arni Leibovits 1 Reputation point
2023-08-25T16:54:39.78+00:00

When inspecting HTTP logs of Azure App Service, I can see that full contents of cookies .AspNetCore.Identity.Application and .AspNetCore.Antiforgery.* are logged.

This is a direct violation of ASVS control points and by having full cookie information in logs anyone having access to logs have the opportunity to impersonate any user who has logged in.

In addition, client IP addresses are logged, which is PII.

How is it possible to turn of logging of cookies and IP addresses?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,044 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Grmacjon-MSFT 18,646 Reputation points
    2023-09-07T07:06:40.8466667+00:00

    @Arni Leibovits thanks for bringing this to our attention.

    You can configure Azure App Service to exclude sensitive information, such as cookies and IP addresses, from HTTP logs by using the applicationHost.xdt file. This file allows you to modify the configuration of the IIS server that hosts your App Service.

    Here are the steps you can follow to exclude sensitive information from HTTP logs:

    Create an applicationHost.xdt file: Create a file named applicationHost.xdt in the root directory of your App Service. This file will be used to modify the IIS server configuration.

    Add the following XML code to the applicationHost.xdt file:

    <?xml version="1.0"?>
    <configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
      <system.webServer>
        <httpLogging xdt:Transform="InsertIfMissing">
          <dontLogCookie xdt:Transform="InsertIfMissing" name=".AspNetCore.Identity.Application" />
          <dontLogCookie xdt:Transform="InsertIfMissing" name=".AspNetCore.Antiforgery.*" />
          <dontLogClientIp xdt:Transform="InsertIfMissing" />
        </httpLogging>
      </system.webServer>
    </configuration>
    

    This code adds the dontLogCookie and dontLogClientIp elements to the httpLogging element in the IIS server configuration. The dontLogCookie elements exclude the specified cookies from HTTP logs, and the dontLogClientIp element excludes client IP addresses from HTTP logs.

    Deploy the applicationHost.xdt file: Deploy the applicationHost.xdt file to your App Service by including it in your deployment package.

    Best,

    Grace

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.