Using Hoss to Mask Response Fields
One of the biggest concerns when using third-party APIs in development is managing sensitive data, particularly in the realm of personally identifiable information (PII). This is where data masking comes into the picture. Data masking is the process of switching sensitive information, such as API keys or PII, with modified dummy data. An example of this is when you choose to use a saved password when logging into an email account – your browser will display a series of asterisks that correspond to your password but doesn’t actually tell you what your password is. Similarly, Hoss provides a data masking capability when monitoring your API requests and responses, obfuscating any sensitive information.
Today, we would like to walk you through using this feature. We’ll make a few sample API calls and demonstrate how you can mask sensitive fields. If you haven’t already signed up for Hoss, you’ll want to do so here. You may also want to view the Hoss documentation here.
Select the Desired Environment
On the Dashboard, you will need to determine which specific dashboard you need to access – Development, Production, or Staging. The default setting is Production – to change which dashboard you are viewing, you simply need to click on “Production” to select the mode from the ensuing dropdown menu. For purposes of this demo, we will be working in “Development”, but the process is identical regardless of mode.
View your Request History in Hoss
You will first need to navigate to the Hoss dashboard and select "Requests" to view your request history.
We have selected one of the Stripe requests to view. If you look closely at the Headers, you will notice that the “Authorization” header is visible. This field is something we’d like to obfuscate.
We can also see that in the response body, there are several fields that contain PII, including “email”, ”address”, and “phone_number”. We will need to obfuscate these as well.
Masking relevant fields
You can mask fields in two ways: you can mask globally, or you can set masking preferences for specific APIs. We’ll show you how to do both.
As most APIs involve requests passing “Authorization” as a header, we will choose to mask “Authorization” at the global level.
Ensure that you have “All APIs” selected on the left-hand side, dive into “Settings”, and then click on “API Settings”. Here, you are able to choose fields to mask. As “Authorization” is an HTTP header, we have added it as a field to mask.
We can also look at query parameters and payload fields to mask, according to your security needs. Payload fields are specified using XPath or JSONPath. You can find out more information about using XPath and JSONPath expressions here.
Masking for Specific APIs
We noticed that the response contained several fields that needed to be masked. We’ll choose to set these masks at the API-level, for purposes of this demonstration. We’re going to work with the Stripe API for this one, so on the left-hand toolbar, we will select “Stripe”. We will then dive into “Settings” once again, and click on “API Settings”. Any settings saved in here will only impact the responses for the Stripe API.
We can now see that fields containing PII are masked.
Now that you know how to utilize masking via the Hoss platform, you will be able to improve compliance with privacy regulations. To read more about how you can leverage Hoss to improve application performance and to stay on top of the latest developer trends, visit our blog.