From 5b12cd76d00db7207e76df506bc9d929be871c15 Mon Sep 17 00:00:00 2001
From: Benjamin Pelletier <BenjaminPelletier@users.noreply.github.com>
Date: Thu, 16 Jan 2025 14:20:08 +0000
Subject: [PATCH] [security] Clarify dumpRequests and set examples to false
 (#1146)

---
 cmds/core-service/main.go                                       | 2 +-
 .../terraform-commons-dss/templates/main.jsonnet.tmp            | 2 +-
 deploy/services/tanka/examples/minimum/main.jsonnet             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmds/core-service/main.go b/cmds/core-service/main.go
index 84cce24ac..20452ef26 100644
--- a/cmds/core-service/main.go
+++ b/cmds/core-service/main.go
@@ -50,7 +50,7 @@ var (
 
 	logFormat            = flag.String("log_format", logging.DefaultFormat, "The log format in {json, console}")
 	logLevel             = flag.String("log_level", logging.DefaultLevel.String(), "The log level")
-	dumpRequests         = flag.Bool("dump_requests", false, "Log HTTP request and response")
+	dumpRequests         = flag.Bool("dump_requests", false, "Log full HTTP request and response (note: will dump sensitive information to logs; intended only for debugging and/or development)")
 	profServiceName      = flag.String("gcp_prof_service_name", "", "Service name for the Go profiler")
 	garbageCollectorSpec = flag.String("garbage_collector_spec", "@every 30m", "Garbage collector schedule. The value must follow robfig/cron format. See https://godoc.org/github.com/robfig/cron#hdr-Usage for more detail.")
 
diff --git a/deploy/infrastructure/dependencies/terraform-commons-dss/templates/main.jsonnet.tmp b/deploy/infrastructure/dependencies/terraform-commons-dss/templates/main.jsonnet.tmp
index 85c093ed6..e9f6de78b 100644
--- a/deploy/infrastructure/dependencies/terraform-commons-dss/templates/main.jsonnet.tmp
+++ b/deploy/infrastructure/dependencies/terraform-commons-dss/templates/main.jsonnet.tmp
@@ -30,7 +30,7 @@ local metadata = metadataBase {
     jwksEndpoint: '${VAR_JWKS_ENDPOINT}',
     jwksKeyIds: ['${VAR_JWKS_KEY_ID}'],
     hostname: '${VAR_APP_HOSTNAME}',
-    dumpRequests: true,
+    dumpRequests: false,
     sslPolicy: '${VAR_SSL_POLICY}'
   },
   schema_manager+: {
diff --git a/deploy/services/tanka/examples/minimum/main.jsonnet b/deploy/services/tanka/examples/minimum/main.jsonnet
index 6110279e4..52005bc7b 100644
--- a/deploy/services/tanka/examples/minimum/main.jsonnet
+++ b/deploy/services/tanka/examples/minimum/main.jsonnet
@@ -27,7 +27,7 @@ local metadata = metadataBase {
     jwksEndpoint: 'VAR_JWKS_ENDPOINT',
     jwksKeyIds: ['VAR_JWKS_KEY_ID'],
     hostname: 'VAR_APP_HOSTNAME',
-    dumpRequests: true,
+    dumpRequests: false,
     sslPolicy: 'VAR_SSL_POLICY'
   },
   schema_manager+: {