Secret Shield
ProPrevent sensitive tokens, API keys, credentials, and customer personal data (PII) from leaking through request/response payloads.
How Secret Shield Works
Secret Shield scans request headers, request bodies, and outgoing response bodies in real-time. It uses a high-performance regex and entropy-based matcher designed to identify secrets at the edge with near-zero latency impact.
When a pattern matches (e.g. a database connection string, Stripe API key, private key, or credit card number), Secret Shield acts according to your configured policy:
- Redact: Replaces the matching string with a placeholder like
[REDACTED_STRIPE_KEY]or[REDACTED_PASSWORD]before it reaches the origin or client. - Block: Rejects the request entirely with a
400 Bad Request(or500 Internal Server Errorfor outgoing response leaks).
Dashboard Setup & Configuration
You can configure Secret Shield directly inside the EdgeWrap Dashboard:
- Navigate to your project in the dashboard at
https://app.edgewrap.pro. - Go to the Security page and select the Secret Shield tab.
- Toggle the Secret Shield switch to Enabled.
- Configure scanning options: choose whether to scan incoming requests, outgoing responses, or both.
- Select the default mitigation action: Masked (redacts secrets using placeholder tags), Blocked (blocks requests with a 400 status), or Logged Only (allows the request but logs a security event).
- Under Custom Patterns, you can add your own custom regular expressions to detect proprietary tokens or identifiers.
API Configuration
Alternatively, you can configure Secret Shield programmatically by sending a request to the control plane:
| Param | Type | Description |
|---|---|---|
| enabled | boolean | Enable or disable Secret Shield scanning. |
| scanRequests | boolean | Scan incoming requests to prevent clients submitting secrets.(default: true) |
| scanResponses | boolean | Scan outgoing responses to prevent database credentials/tokens from leaking to clients.(default: true) |
| action | string | The action to execute: 'redact' or 'block'.(default: redact) |
Configure Secret Shield via API
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_01jxyz/secret-shield/config \
-H "Authorization: Bearer <your_session_token>" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"scanRequests": true,
"scanResponses": true,
"action": "redact"
}'Note: Secret Shield processes body buffers up to 4 KB. Payloads larger than 4 KB will bypass body scanning but will still have headers scanned.