diff --git a/changelog/unreleased/pr-13873.toml b/changelog/unreleased/pr-13873.toml
new file mode 100644
index 000000000000..a2f3a27487a8
--- /dev/null
+++ b/changelog/unreleased/pr-13873.toml
@@ -0,0 +1,5 @@
+type = "changed"
+message = "Mask custom properties for Kafka inputs on the inputs page to hide sensitive information."
+
+issues = ["13383"]
+pulls = ["13873"]
diff --git a/graylog2-server/src/main/java/org/graylog2/inputs/transports/KafkaTransport.java b/graylog2-server/src/main/java/org/graylog2/inputs/transports/KafkaTransport.java
index 4544e04f7d05..cb19c4f6127a 100644
--- a/graylog2-server/src/main/java/org/graylog2/inputs/transports/KafkaTransport.java
+++ b/graylog2-server/src/main/java/org/graylog2/inputs/transports/KafkaTransport.java
@@ -574,8 +574,9 @@ public ConfigurationRequest getRequestedConfiguration() {
                     "A newline separated list of Kafka properties. (e.g.: \"ssl.keystore.location=/etc/graylog/server/kafka.keystore.jks\").",
                     ConfigurationField.Optional.OPTIONAL,
                     ConfigurationField.PLACE_AT_END_POSITION,
-                    TextField.Attribute.TEXTAREA
-                    ));
+                    TextField.Attribute.TEXTAREA,
+                    TextField.Attribute.IS_SENSITIVE
+            ));
 
             return cr;
         }
diff --git a/graylog2-server/src/main/java/org/graylog2/plugin/configuration/fields/TextField.java b/graylog2-server/src/main/java/org/graylog2/plugin/configuration/fields/TextField.java
index 576ce46c0ff5..57d5d6fa39a4 100644
--- a/graylog2-server/src/main/java/org/graylog2/plugin/configuration/fields/TextField.java
+++ b/graylog2-server/src/main/java/org/graylog2/plugin/configuration/fields/TextField.java
@@ -26,7 +26,8 @@ public class TextField extends AbstractConfigurationField {
 
     public enum Attribute {
         IS_PASSWORD,
-        TEXTAREA
+        TEXTAREA,
+        IS_SENSITIVE
     }
 
     private String defaultValue;
diff --git a/graylog2-server/src/main/java/org/graylog2/rest/resources/system/inputs/AbstractInputsResource.java b/graylog2-server/src/main/java/org/graylog2/rest/resources/system/inputs/AbstractInputsResource.java
index 2b8e754074db..ad5cdcd50324 100644
--- a/graylog2-server/src/main/java/org/graylog2/rest/resources/system/inputs/AbstractInputsResource.java
+++ b/graylog2-server/src/main/java/org/graylog2/rest/resources/system/inputs/AbstractInputsResource.java
@@ -73,17 +73,27 @@ protected Map<String, Object> maskPasswordsInConfiguration(Map<String, Object> c
                         HashMap::new,
                         (map, entry) -> {
                             final ConfigurationField field = configurationRequest.getField(entry.getKey());
-                            if (field instanceof TextField) {
-                                final TextField textField = (TextField) field;
-                                if (textField.getAttributes().contains(TextField.Attribute.IS_PASSWORD.toString().toLowerCase(Locale.ENGLISH))
-                                        && !Strings.isNullOrEmpty((String) entry.getValue())) {
+                            if (field instanceof TextField && !Strings.isNullOrEmpty((String) entry.getValue())) {
+                                if (isPassword(field)) {
                                     map.put(entry.getKey(), "<password set>");
                                     return;
                                 }
+                                if (isSensitive(field)) {
+                                    map.put(entry.getKey(), "<value hidden>");
+                                    return;
+                                }
                             }
                             map.put(entry.getKey(), entry.getValue());
                         },
                         HashMap::putAll
                 );
     }
+
+    private static boolean isPassword(ConfigurationField field) {
+        return field.getAttributes().contains(TextField.Attribute.IS_PASSWORD.toString().toLowerCase(Locale.ENGLISH));
+    }
+
+    private static boolean isSensitive(ConfigurationField field) {
+        return field.getAttributes().contains(TextField.Attribute.IS_SENSITIVE.toString().toLowerCase(Locale.ENGLISH));
+    }
 }
diff --git a/graylog2-web-interface/src/components/configurationforms/ConfigurationWell.jsx b/graylog2-web-interface/src/components/configurationforms/ConfigurationWell.jsx
index 6bc92ed77ec1..9a3e06cf3608 100644
--- a/graylog2-web-interface/src/components/configurationforms/ConfigurationWell.jsx
+++ b/graylog2-web-interface/src/components/configurationforms/ConfigurationWell.jsx
@@ -66,7 +66,8 @@ class ConfigurationWell extends React.Component {
       const value = config[key];
       const requestedConfiguration = (typeDefinition && typeDefinition.requested_configuration ? typeDefinition.requested_configuration[key] : undefined);
 
-      if (requestedConfiguration && requestedConfiguration.attributes.indexOf('is_password') > -1) {
+      if (requestedConfiguration
+        && (requestedConfiguration.attributes.indexOf('is_password') > -1 || requestedConfiguration.attributes.indexOf('is_sensitive') > -1)) {
         return this._formatPasswordField(value, key);
       }
 
diff --git a/graylog2-web-interface/src/components/configurationforms/types.ts b/graylog2-web-interface/src/components/configurationforms/types.ts
index eadd1fe5e77e..190678e08b17 100644
--- a/graylog2-web-interface/src/components/configurationforms/types.ts
+++ b/graylog2-web-interface/src/components/configurationforms/types.ts
@@ -15,7 +15,7 @@
  * <http://www.mongodb.com/licensing/server-side-public-license>.
  */
 type NumberFieldAttributes = 'only_negative' | 'only_positive' | 'is_port_number';
-type TextFieldAttributes = 'is_password' | 'textarea';
+type TextFieldAttributes = 'is_password' | 'textarea' | 'is_sensitive';
 type ListFieldAttributes = 'allow_create';
 
 export type NumberField = {