Mask sensitive data in API request/response in log browser

When detailed logging is enabled on an API, the log browser on the tyk dashboard captures and displays the complete details of both the incoming requests and the outgoing responses. I need to mask certain headers in the request.
I would like to know how I can achieve this.

PS: I’m using Tyk self managed version 4.3.3

1 Like

Hello and welcome to the community.

Have you had a look at our analytics plugin.


I have a couple of questions here -
In the analytics plugins documentation the following is mentioned -
“analytics_plugin”: {
“enable”: true,
“func_name”: “”,
“plugin_path”: “/”

  1. In the plugin_path - what path is to be used?
  2. How do we generate a .so file from .go file to build the plugin. Im using windows machine, I tried using wsl and MinGW-W64, I was not able to successfully do it.

The path mapped to your middleware directory (/opt/tyk-gateway/middleware/)

You can use docker run command along with tyk-plugin-compiler to build golang plugins. We have a getting started with Golang plugins on our documentation page that could prove helpful.

Additionally, you could install make using winget install make command and use our quick start guide to rapidly get and and running. We have a video tutorial that can guide you using the repo for convenience.

Thank you for pointing out the resources. Unfortunately its not working for me. The below are the details of what I have tried -

  1. PluginCode -
    func MyAnalyticsPluginMaskHeader(record *analytics.AnalyticsRecord) {
    str, err := base64.StdEncoding.DecodeString(record.RawRequest)
    if err != nil {

    var b = &bytes.Buffer{}

    r := bufio.NewReader(b)
    var req http.Request
    req, err = http.ReadRequest(r)
    if err != nil {
    req.Header.Add(“Foo”, “Bar”)
    req.Header.Set(“Foo”, strings.Repeat("
    ", len(req.Header.Get(“Foo”))))

    var bNew bytes.Buffer
    _ = req.Write(&bNew)
    record.RawRequest = base64.StdEncoding.EncodeToString(bNew.Bytes())

  2. API definition: added the following code -
    “analytics_plugin”: {
    “enable”: true,
    “plugin_path”: “/opt/tyk-gateway/middleware/”,
    “func_name”: “MyAnalyticsPluginMaskHeader”

The log browser doesnt reflect the changes made -
PFA the image of the logs -

Could you check the gateway logs for any possible errors in running the plugin?

You can enable debug logs log_level=debug for more verbose logs

Also, I see that your plugin name is slightly different that what it should have been. Did you build with v4.3.3 and rename it?

From version v4 and above, the gateway version, OS and architecture are appended to the name. You might want to check you are indeed using the right version.

After renaming the plugin name to include the version, it worked well.

Thank you so much for your response.