Long story short, user passwords are being passed plain text via url (horrible, yes, but not my idea), and this query string is being stored in the access log, which we clearly don't want so obvious.
Is there a way to prevent query strings from being stored in the access log without disabling CustomLog?
Your common
log format includes the query string in %r
(first line of request)
What you can do is to add a new log format (keep the old one for reference, no need to remove it)
LogFormat "%h %l %u %t \"%m %U %H\" %>s %b" common_no_querystring
where %m
is the method (GET/POST), %U
is the URL requested without querystring and %H
is the HTTP version for the request. This will output the same line as %r
, except the query string.
Then all you need to do is change the customlog line to;
CustomLog "logs/access.log" common_no_querystring
and you'll no longer get query strings in the log.
Have a look at Custom Log Formats, specifically
%U The URL path requested, not including any query string.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With