--- title: Redacting data summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/data-storage-and-privacy/redacting-data --- To maintain [data privacy](https://www.fastly.com/documentation/guides/next-gen-waf/data-storage-and-privacy/about-data-storage-and-privacy/), Next-Gen WAF redacts sensitive data from requests before they reach the platform backend. ## Selective data transfer and redaction The Next-Gen WAF agent filters requests locally to determine if they contain an attack. Only requests that are marked as attacks or anomalies are then sent to the platform backend after additional filtering and sanitizing are done. Once the agent identifies a potential attack or anomaly in a request, the agent sends only the individual parameter of the request which contains the attack payload, as well as a few other non-sensitive or benign portions of the request (e.g., client IP, user agent, or URI). The entire request is never sent to the platform backend. Additionally, specific portions of the request are automatically redacted and never sent to the backend, including tokens, credentials, and known patterns such as credit card and social security numbers. ## JSON API payloads Next-Gen WAF automatically parses JSON key-value pairs and treats them like request parameters. The following sample requests demonstrate how redactions work within the context of a request. The initial request: ```term nolinenums POST /request HTTP/1.1 Content-Length: 72 Content-Type: application/json Host: api.example.com {"user":"user@api.example.com","password":"mypassword","zip":94089} ``` What's sent to the Next-Gen WAF: ```term nolinenums POST /request HTTP/1.1 Host: api.example.com password= ``` The initial request: ```term nolinenums POST /request HTTP/1.1 Content-Length: 72 Content-Type: application/json Host: api.example.com {"user":"user@api.example.com","password":"mypassword","zip":"94089"} ``` What's sent to the Next-Gen WAF: ```term nolinenums POST /request HTTP/1.1 Host: api.example.com zip= ``` ## Sensitive headers Next-Gen WAF redacts the following from requests: - Explicit names: `authorization`, `x-auth-token`, `cookie`, `set-cookie` - Any names that contain: `-token`, `-auth`, `-key`, `-sess`, `-pass`, `-secret` - Query strings from `referer` and `location` The initial request: ```term nolinenums POST /example?sort=ascending HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Accept: text/html, application/xhtml+xml Content-Length: 57 Cookie: foo=bar sensitive=hunter2&foobar=&page=3 ``` What’s sent to the Next-Gen WAF: ```term nolinenums POST /example HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) foobar= ``` ## Sensitive parameters If a request contains an attack or anomaly, and also contains sensitive data in commonly-used parameter names, Next-Gen WAF will redact the entire contents of the sensitive parameter. These parameters include: - `api_key` - `password` - `passwd` - `pass` - `pw` - `user` - `login` - `loginid` - `username` - `email` - `key` - `id` - `sid` - `token` - `request_token` - `access_token` - `csrfmiddlewaretoken` - `oauth_verifier` - `confirm_password` - `password_confirmation` The initial request: ```term nolinenums POST /example HTTP/1.1 username= ``` What’s sent to the Next-Gen WAF: ```term nolinenums POST /example HTTP/1.1 username=[redacted] ``` The control panel clearly displays which parameters have been redacted. Redacted parameters are replaced with the word `REDACTED` highlighted in yellow. ![A redacted parameter. The parameter is replaced with the word 'REDACTED' highlighted in yellow.](/img/ngwaf/redacted-param.png) ## Sensitive patterns Next-Gen WAF automatically redacts known patterns of sensitive information, which includes the following: - **Credit card numbers:** values like `4111-1111-1111-1111` become `0000-0000-0000-0000` - **Social security numbers:** values like `078-05-1120` become `000-00-0000` - **GUIDs:** values like `3F2504E0-4F89-41D3-9A0C-0305E82C3301` become `0000000-0000-0000-0000-000000000000` - **Bank account (IBAN) numbers:** values like `DE75512108001245126199` become `AA00aaaa0000000` The initial request: ```term nolinenums POST /example HTTP/1.1 credit_card_example= ``` What’s sent to the Next-Gen WAF: ```term nolinenums POST /example HTTP/1.1 credit_card_example= ``` Within the control panel we clearly display which patterns have been redacted. Redacted patterns are replaced with the word `REDACTED` highlighted in yellow. ![A redacted parameter. The parameter is replaced with the word 'REDACTED' highlighted in yellow.](/img/ngwaf/redacted-ssn.png) ## Custom redactions In addition to the redactions listed above, you can also specify additional fields to redact from requests. For example, if your password field is named `foobar` instead of `password`, that field can be specified for redaction. > **IMPORTANT:** Accounts are limited to 100 redactions per site (also known as workspace). ### Creating custom redactions When you have a sensitive field that is not filtered out by default, you can create a custom field redaction: ### Next Gen Waf Control Panel 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Sites** menu, select a site if you have more than one site. 3. From the **Rules** menu, select **Redactions**. 4. Click **Add redaction**. 5. In the **Field name** field, enter the name of the field to be redacted. 6. From the **Field type** menu, select the type of field to be redacted. Options include Request parameter, Request header, or Response header. 7. Click **Create redaction**. ### Fastly Control Panel 1. Log in to the [Fastly control panel](https://manage.fastly.com). 2. Go to **Security** > **Next-Gen WAF** > [**Workspaces**](https://manage.fastly.com/security/ngwaf/workspaces). 3. Click the gear Gear icon

next to the workspace that you want to modify. 4. Click **Redactions** and then **Add Redaction**. ![The Add redaction form completed for a request parameter representing cell phone numbers](/img/ngwaf/add-redaction.png) 5. In the **Field** field, enter the name of the field to be redacted. 6. From the **Type** menu, select the type of field to be redacted. Options include Request parameter, Request header, or Response header. 7. Click **Add Redaction**. ### Editing custom redactions To edit a custom redaction, complete the following steps: ### Next Gen Waf Control Panel 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Sites** menu, select a site if you have more than one site. 3. From the **Rules** menu, select **Redactions**. 4. Click **View** to the right of the custom redaction you want to edit. 5. Click **Edit redaction**. 6. Change the **Field name** and **Field type** as needed. 7. Click **Update redaction**. ### Fastly Control Panel 1. Log in to the [Fastly control panel](https://manage.fastly.com). 2. Go to **Security** > **Next-Gen WAF** > [**Workspaces**](https://manage.fastly.com/security/ngwaf/workspaces). 3. Click the gear Gear icon

next to the workspace that you want to modify. 4. Click **Redactions**. 5. Click the pencil Pencil icon

to the right of the redaction that you want to edit. ![The Edit redaction form completed for a request parameter representing cell phone numbers](/img/ngwaf/edit-redaction.png) 6. Change the **Field** and **Type** fields as needed. 7. Click **Update Redaction**. ### Deleting custom redactions ### Next Gen Waf Control Panel 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Sites** menu, select a site if you have more than one site. 3. From the **Rules** menu, select **Redactions**. 4. Click **View** to the right of the custom redaction you want to delete. 5. Click **Remove redaction**. 6. Click **Delete** to delete the redaction. ### Fastly Control Panel 1. Log in to the [Fastly control panel](https://manage.fastly.com). 2. Go to **Security** > **Next-Gen WAF** > [**Workspaces**](https://manage.fastly.com/security/ngwaf/workspaces). 3. Click the gear Gear icon

next to the workspace that you want to modify. 4. Click **Redactions**. 5. Click the trash Trash icon

to the right of the redaction that you want to delete. 6. Click **Delete**. ## Transparency To allow for easy verification of what the agent sends to the backend, we provide a way to view all agent to backend communication. ### Verifying in the control panel To verify our agents are correctly filtering and sanitizing requests, we provide a raw log of data that’s sent from our agents: ### Next Gen Waf Control Panel 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Sites** menu, select a site if you have more than one site. 3. Click on **Agents**. 4. Click on the **Agent ID**. 5. Click the **Requests** tab. 6. Review the requests and verify that data is correctly redacted. ### Fastly Control Panel 1. Log in to the [Fastly control panel](https://manage.fastly.com). 2. Go to **Security** > **Next-Gen WAF** > [**Requests**](https://manage.fastly.com/security/ngwaf/requests). 3. Click the document icon

to the right of a request. 4. Review the request details to verify the request was sanitized correctly. ### Verifying with the agent You can also verify directly from the agent itself by setting the `debug-log-uploads` [agent configuration option](https://www.fastly.com/documentation/reference/ngwaf/agent-config#agentcfg_debug-log-uploads). For example, if you want to log all agent uploads in formatted JSON, add the following line to your agent configuration file (by default at `/etc/sigsci/agent.conf`): ```text debug-log-uploads = 2 ``` ## Related content - [Using an API with the Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf)