Secret Shield

Pro

Prevent sensitive tokens, API keys, credentials, and customer personal data (PII) from leaking through request/response payloads.

How Secret Shield Works

Secret Shield scans request headers, request bodies, and outgoing response bodies in real-time. It uses a high-performance regex and entropy-based matcher designed to identify secrets at the edge with near-zero latency impact.

When a pattern matches (e.g. a database connection string, Stripe API key, private key, or credit card number), Secret Shield acts according to your configured policy:

  • Redact: Replaces the matching string with a placeholder like [REDACTED_STRIPE_KEY] or [REDACTED_PASSWORD] before it reaches the origin or client.
  • Block: Rejects the request entirely with a 400 Bad Request (or 500 Internal Server Error for outgoing response leaks).

Dashboard Setup & Configuration

You can configure Secret Shield directly inside the EdgeWrap Dashboard:

  1. Navigate to your project in the dashboard at https://app.edgewrap.pro.
  2. Go to the Security page and select the Secret Shield tab.
  3. Toggle the Secret Shield switch to Enabled.
  4. Configure scanning options: choose whether to scan incoming requests, outgoing responses, or both.
  5. Select the default mitigation action: Masked (redacts secrets using placeholder tags), Blocked (blocks requests with a 400 status), or Logged Only (allows the request but logs a security event).
  6. Under Custom Patterns, you can add your own custom regular expressions to detect proprietary tokens or identifiers.

API Configuration

Alternatively, you can configure Secret Shield programmatically by sending a request to the control plane:

ParamTypeDescription
enabledbooleanEnable or disable Secret Shield scanning.
scanRequestsbooleanScan incoming requests to prevent clients submitting secrets.(default: true)
scanResponsesbooleanScan outgoing responses to prevent database credentials/tokens from leaking to clients.(default: true)
actionstringThe action to execute: 'redact' or 'block'.(default: redact)
Configure Secret Shield via API
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_01jxyz/secret-shield/config \
  -H "Authorization: Bearer <your_session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": true,
    "scanRequests": true,
    "scanResponses": true,
    "action": "redact"
  }'
Note: Secret Shield processes body buffers up to 4 KB. Payloads larger than 4 KB will bypass body scanning but will still have headers scanned.