I have an app that I want to connect to cloudflare for cdn. However, Cloudflare handles the https encryption for me so I'm worried that user passwords may be logged.
What are some good practices for shielding sensitive information from cdn providers?
https://developers.cloudflare.com/logs/
By default, Cloudflare does not retain your HTTP request logs. However, if you are a Spectrum customer, logs of Spectrum events are retained automatically.
When you have reason to believe that your service provider won’t uphold their end of the terms & conditions of your (data processing) contract/service agreement with them, then you shouldn’t do business with them.
From a technical perspective: the typical (default) logging that both your own systems as well as the service providers (when enabled by you) are going to do is HTTP request logging.
Don’t program your app to make requests containing sensitive data such as www.example.com/login?login=zcaudate&password=s3cr3t in the URI and you ensure that those logs won’t contain sensitive information.
Don’t underestimate the capability of users to enter their passwords in the username field and similar, so don’t assume that you only need to avoid requests with the password field, avoid them completely.
Good practice is not to use a CDN for sensitive information like this. Simple like that.
Use another domain (account....) to handle the login as i.e. Microsoft does (login.live.com) and do not run that through the CDN.
Use a stndard OAuth2 authentication scheme with a bearer token that always is only transmitted via header, never in the request url.
Done.
