@Arni Leibovits thanks for bringing this to our attention.
You can configure Azure App Service to exclude sensitive information, such as cookies and IP addresses, from HTTP logs by using the
applicationHost.xdt file. This file allows you to modify the configuration of the IIS server that hosts your App Service.
Here are the steps you can follow to exclude sensitive information from HTTP logs:
applicationHost.xdt file: Create a file named
applicationHost.xdt in the root directory of your App Service. This file will be used to modify the IIS server configuration.
Add the following XML code to the
<?xml version="1.0"?> <configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform"> <system.webServer> <httpLogging xdt:Transform="InsertIfMissing"> <dontLogCookie xdt:Transform="InsertIfMissing" name=".AspNetCore.Identity.Application" /> <dontLogCookie xdt:Transform="InsertIfMissing" name=".AspNetCore.Antiforgery.*" /> <dontLogClientIp xdt:Transform="InsertIfMissing" /> </httpLogging> </system.webServer> </configuration>
This code adds the
dontLogClientIp elements to the
httpLogging element in the IIS server configuration. The
dontLogCookie elements exclude the specified cookies from HTTP logs, and the
dontLogClientIp element excludes client IP addresses from HTTP logs.
applicationHost.xdt file: Deploy the
applicationHost.xdt file to your App Service by including it in your deployment package.