Skip to content

security: prevent credential leakage in log payloads and add transport warnings #132

Description

@brucearctor

Summary

Two security improvements identified during review of #124:

1. Credential attributes captured into behavioral logs

packageLogs.ts buildAttrs() captures all data-* attributes from DOM elements into log payloads. The attributeBlackList only excludes "style". This means data-api-key (new in #124) and data-auth (existing) can leak into behavioral logs when users interact near those elements.

File: products/userale/packages/flagon-userale/src/packageLogs.ts (~line 427)

const attributeBlackList = ["style"];
// All other data-* attributes are captured, including credentials

Fix: Add "data-api-key" and "data-auth" to attributeBlackList. Consider a more robust approach — a sensitiveAttributePattern that strips any attribute matching /^data-(api-key|auth|token|secret|password)/i.

2. No warning when credentials sent over plaintext HTTP

When apiKey or authHeader is configured, UserALE.js will happily send credentials over http:// with no warning. The default URL is http://localhost:8000.

Fix: When credentials are configured and the URL protocol is http: (and the hostname is NOT localhost/127.0.0.1), emit a console.warn:

if ((config.apiKey || config.authHeader) && url.protocol === "http:" && !["localhost", "127.0.0.1"].includes(url.hostname)) {
  console.warn("[UserALE] Sending credentials over plaintext HTTP. Use HTTPS in production.");
}

Context

Both findings surfaced during security review of #124. The attribute leakage is pre-existing (affects data-auth since before #124). The HTTPS warning is a new recommendation.

Priority

P1 — should be addressed before any regulated-industry deployment (fintech, healthcare, government).

Metadata

Metadata

Assignees

No one assigned

    Labels

    UseralePull requests that update Userale codebug

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions