securenow 4.0.2 → 4.0.3

package/BODY-CAPTURE-QUICKSTART.md

@@ -0,0 +1,147 @@
+# 📝 Request Body Capture - Quick Start
+
+## Enable in 30 Seconds
+
+### Step 1: Enable
+Add to `.env.local`:
+```bash
+SECURENOW_CAPTURE_BODY=1
+```
+
+### Step 2: Deploy
+```bash
+npm run dev  # or deploy to production
+```
+
+### Step 3: Done! ✅
+
+All POST/PUT/PATCH request bodies are now captured with sensitive data automatically redacted!
+
+---
+
+## What Gets Captured (ALL with Auto-Redaction!)
+
+✅ **JSON** - API payloads (objects redacted)  
+✅ **GraphQL** - Queries and mutations (arguments/variables redacted)  
+✅ **Form Data** - Form submissions (parsed and redacted)  
+❌ **File Uploads** - NOT captured at all (by design)
+
+---
+
+## Security Built-In
+
+These fields are **automatically redacted**:
+- `password`, `token`, `api_key`, `secret`
+- `access_token`, `auth`, `credentials`
+- `card`, `cardnumber`, `cvv`, `ssn`
+- And 15+ more sensitive fields
+
+**Example:**
+```json
+// Original
+{"username": "john", "password": "secret123"}
+
+// Captured
+{"username": "john", "password": "[REDACTED]"}
+```
+
+---
+
+## Configuration Options
+
+```bash
+# Enable capture (required)
+SECURENOW_CAPTURE_BODY=1
+
+# Max body size in bytes (default: 10KB)
+SECURENOW_MAX_BODY_SIZE=20480
+
+# Add custom sensitive fields to redact
+SECURENOW_SENSITIVE_FIELDS=email,phone,address
+```
+
+---
+
+## View in SigNoz
+
+Query for captured bodies:
+```
+http.request.body IS NOT NULL
+```
+
+See specific endpoint:
+```
+http.target = "/api/checkout"
+AND http.request.body CONTAINS "product"
+```
+
+---
+
+## Examples
+
+### Next.js API Route
+```typescript
+// app/api/login/route.ts
+export async function POST(request: Request) {
+  const body = await request.json();
+  // Body automatically captured in traces!
+  return Response.json({ success: true });
+}
+```
+
+### Express.js
+```javascript
+app.post('/api/login', (req, res) => {
+  // req.body automatically captured!
+  res.json({ success: true });
+});
+```
+
+---
+
+## Safety Features
+
+✅ **Size limits** - Bodies over limit show `[TOO LARGE]`  
+✅ **Auto-redaction** - 20+ sensitive fields protected  
+✅ **Type detection** - JSON, GraphQL, Form parsed correctly  
+✅ **No file capture** - Multipart uploads excluded  
+✅ **Fast** - < 1ms overhead per request
+
+---
+
+## Common Use Cases
+
+1. **Debug API errors** - See exact input that caused error
+2. **Monitor GraphQL** - Track slow queries
+3. **Validate inputs** - Understand user input patterns
+4. **Track features** - See which API features are used
+5. **Security analysis** - Detect malicious payloads
+
+---
+
+## Privacy Notes
+
+⚠️ Request bodies may contain personal data
+
+**Best practices:**
+- Add relevant fields to `SECURENOW_SENSITIVE_FIELDS`
+- Set appropriate retention in SigNoz
+- Document in privacy policy
+- Consider GDPR/CCPA requirements
+
+---
+
+## Full Documentation
+
+See [REQUEST-BODY-CAPTURE.md](./REQUEST-BODY-CAPTURE.md) for:
+- Complete security guide
+- GDPR compliance tips
+- Advanced configuration
+- Performance optimization
+- Troubleshooting
+- FAQ
+
+---
+
+**That's it!** Enable with one environment variable, get full request visibility with automatic security. 🔒
+

package/CUSTOMER-GUIDE.md

@@ -125,6 +125,25 @@ Open your **SigNoz dashboard** and you'll see traces immediately!
 - Performance analysis by region
 - Marketing attribution
 
+### 📝 Request Body Capture (Optional - Enable It!)
+- **JSON Payloads** - Capture API request bodies
+- **GraphQL Queries** - See full queries in traces
+- **Form Submissions** - Track form data
+- **Auto-Redaction** - Passwords, tokens, cards automatically hidden
+- **Size Limits** - Configurable max body size
+- **GDPR-Friendly** - Built-in sensitive field protection
+
+**Enable:** `SECURENOW_CAPTURE_BODY=1` in `.env.local`
+
+**Perfect for:**
+- Debugging API issues with exact inputs
+- Monitoring GraphQL query patterns
+- Understanding user input behavior
+- Validating request schemas
+- Troubleshooting edge cases
+
+See [REQUEST-BODY-CAPTURE.md](./REQUEST-BODY-CAPTURE.md)
+
 ### ✅ Next.js Built-in Spans
 - HTTP requests
 - API routes

package/NEXTJS-GUIDE.md

@@ -113,6 +113,16 @@ SecureNow automatically captures comprehensive request data:
 
 See [AUTOMATIC-IP-CAPTURE.md](./AUTOMATIC-IP-CAPTURE.md) for full details.
 
+### 📝 Request Body Capture (Optional!)
+- **JSON Bodies** - API payloads with sensitive fields redacted
+- **GraphQL Queries** - Full query capture
+- **Form Data** - Form submissions
+- **Auto-Redaction** - Passwords, tokens, cards automatically hidden
+
+Enable with: `SECURENOW_CAPTURE_BODY=1`
+
+See [REQUEST-BODY-CAPTURE.md](./REQUEST-BODY-CAPTURE.md) for full details.
+
 ### Next.js Built-in Spans
 - ✅ HTTP requests (`[http.method] [next.route]`)
 - ✅ API routes execution

package/NEXTJS-QUICKSTART.md

@@ -35,7 +35,7 @@ export function register() { registerSecureNow(); }
 
 ```bash
 SECURENOW_APPID=my-nextjs-app
-SECURENOW_INSTANCE=http://your-signoz:4318
+SECURENOW_INSTANCE=http://your-securenow:4318
 ```
 
 ### 3. (Next.js 14 only) Update `next.config.js`:

package/REDACTION-EXAMPLES.md

@@ -0,0 +1,481 @@
+# 🔒 Redaction Examples - See It In Action
+
+Real examples of how SecureNow redacts sensitive data across all content types.
+
+---
+
+## JSON Redaction
+
+### Example 1: Login Request
+
+**Original Request:**
+```json
+POST /api/login
+Content-Type: application/json
+
+{
+  "username": "john@example.com",
+  "password": "MySecretPass123!",
+  "remember": true,
+  "device_id": "abc123"
+}
+```
+
+**Captured in Trace:**
+```json
+{
+  "username": "john@example.com",
+  "password": "[REDACTED]",
+  "remember": true,
+  "device_id": "abc123"
+}
+```
+
+### Example 2: Payment Request
+
+**Original Request:**
+```json
+POST /api/payment
+Content-Type: application/json
+
+{
+  "amount": 99.99,
+  "currency": "USD",
+  "card": {
+    "number": "4242424242424242",
+    "cvv": "123",
+    "expiry": "12/25"
+  },
+  "billing": {
+    "name": "John Doe",
+    "email": "john@example.com"
+  }
+}
+```
+
+**Captured in Trace:**
+```json
+{
+  "amount": 99.99,
+  "currency": "USD",
+  "card": "[REDACTED]",
+  "billing": {
+    "name": "John Doe",
+    "email": "john@example.com"
+  }
+}
+```
+*Note: The entire `card` object is redacted because the key contains "card"*
+
+### Example 3: Nested Secrets
+
+**Original Request:**
+```json
+{
+  "user": {
+    "name": "John",
+    "auth": {
+      "password": "secret",
+      "api_key": "sk_live_abc123"
+    }
+  },
+  "metadata": {
+    "session_token": "xyz789"
+  }
+}
+```
+
+**Captured in Trace:**
+```json
+{
+  "user": {
+    "name": "John",
+    "auth": {
+      "password": "[REDACTED]",
+      "api_key": "[REDACTED]"
+    }
+  },
+  "metadata": {
+    "session_token": "[REDACTED]"
+  }
+}
+```
+*Recursive redaction finds sensitive fields at any depth*
+
+---
+
+## GraphQL Redaction
+
+### Example 1: Login Mutation
+
+**Original Request:**
+```graphql
+POST /graphql
+Content-Type: application/graphql
+
+mutation Login {
+  login(
+    email: "john@example.com", 
+    password: "MySecretPass123!"
+  ) {
+    token
+    user {
+      id
+      name
+    }
+  }
+}
+```
+
+**Captured in Trace:**
+```graphql
+mutation Login {
+  login(
+    email: "john@example.com", 
+    password: "[REDACTED]"
+  ) {
+    token
+    user {
+      id
+      name
+    }
+  }
+}
+```
+
+### Example 2: Variables with Secrets
+
+**Original Request:**
+```graphql
+mutation CreateUser($input: UserInput!) {
+  createUser(input: $input) {
+    id
+  }
+}
+
+Variables:
+{
+  "input": {
+    "email": "john@example.com",
+    "password": "secret123",
+    "api_key": "sk_test_abc"
+  }
+}
+```
+
+**Captured in Trace:**
+```graphql
+mutation CreateUser($input: UserInput!) {
+  createUser(input: $input) {
+    id
+  }
+}
+
+Variables:
+{
+  "input": {
+    "email": "john@example.com",
+    "password": "[REDACTED]",
+    "api_key": "[REDACTED]"
+  }
+}
+```
+
+### Example 3: Multiple Sensitive Fields
+
+**Original Request:**
+```graphql
+mutation UpdateAccount {
+  updateAccount(
+    id: "123",
+    password: "newpass",
+    secret: "mysecret",
+    api_key: "sk_live_xyz"
+  ) {
+    success
+  }
+}
+```
+
+**Captured in Trace:**
+```graphql
+mutation UpdateAccount {
+  updateAccount(
+    id: "123",
+    password: "[REDACTED]",
+    secret: "[REDACTED]",
+    api_key: "[REDACTED]"
+  ) {
+    success
+  }
+}
+```
+
+---
+
+## Form Data Redaction
+
+### Example 1: Login Form
+
+**Original Request:**
+```http
+POST /api/login
+Content-Type: application/x-www-form-urlencoded
+
+username=john&password=secret123&remember=on
+```
+
+**Captured in Trace:**
+```json
+{
+  "username": "john",
+  "password": "[REDACTED]",
+  "remember": "on"
+}
+```
+
+### Example 2: Registration Form
+
+**Original Request:**
+```http
+POST /api/register
+Content-Type: application/x-www-form-urlencoded
+
+email=john@example.com&password=MyPass123&confirm_password=MyPass123&terms=agree
+```
+
+**Captured in Trace:**
+```json
+{
+  "email": "john@example.com",
+  "password": "[REDACTED]",
+  "confirm_password": "[REDACTED]",
+  "terms": "agree"
+}
+```
+*Note: "confirm_password" is redacted because it contains "password"*
+
+---
+
+## Multipart (NOT Captured)
+
+### Example: File Upload
+
+**Original Request:**
+```http
+POST /api/upload
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
+
+------WebKitFormBoundary
+Content-Disposition: form-data; name="file"; filename="document.pdf"
+Content-Type: application/pdf
+
+[Binary PDF data...]
+------WebKitFormBoundary
+Content-Disposition: form-data; name="description"
+
+Important document
+------WebKitFormBoundary--
+```
+
+**Captured in Trace:**
+```json
+{
+  "http.request.body": "[MULTIPART - NOT CAPTURED]",
+  "http.request.body.type": "multipart",
+  "http.request.body.note": "File uploads not captured by design"
+}
+```
+*Multipart data is NOT captured at all - too large and unnecessary*
+
+---
+
+## Custom Sensitive Fields
+
+### Configure Custom Fields
+
+```bash
+# .env.local
+SECURENOW_SENSITIVE_FIELDS=email,phone,address,ssn,credit_card
+```
+
+### Example with Custom Fields
+
+**Original Request:**
+```json
+{
+  "name": "John Doe",
+  "email": "john@example.com",
+  "phone": "+1-555-0123",
+  "address": "123 Main St",
+  "credit_card": "4242424242424242"
+}
+```
+
+**Captured in Trace:**
+```json
+{
+  "name": "John Doe",
+  "email": "[REDACTED]",
+  "phone": "[REDACTED]",
+  "address": "[REDACTED]",
+  "credit_card": "[REDACTED]"
+}
+```
+
+---
+
+## Field Matching Rules
+
+### Case-Insensitive Matching
+
+These all get redacted if "password" is in the sensitive list:
+- `password` → `[REDACTED]`
+- `Password` → `[REDACTED]`
+- `PASSWORD` → `[REDACTED]`
+- `user_password` → `[REDACTED]`
+- `passwordHash` → `[REDACTED]`
+
+### Partial Matching (Substring)
+
+If "token" is sensitive, these get redacted:
+- `token` → `[REDACTED]`
+- `access_token` → `[REDACTED]`
+- `refresh_token` → `[REDACTED]`
+- `oauth_token` → `[REDACTED]`
+- `stripe_token` → `[REDACTED]`
+
+### Built-in Sensitive Fields (20+)
+
+```javascript
+[
+  'password', 'passwd', 'pwd',
+  'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials',
+  'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv',
+  'ssn', 'pin'
+]
+```
+
+---
+
+## Edge Cases
+
+### 1. Empty Values
+
+**Original:**
+```json
+{ "password": "" }
+```
+
+**Captured:**
+```json
+{ "password": "[REDACTED]" }
+```
+*Even empty sensitive fields are redacted*
+
+### 2. Null Values
+
+**Original:**
+```json
+{ "password": null }
+```
+
+**Captured:**
+```json
+{ "password": "[REDACTED]" }
+```
+
+### 3. Numeric Passwords
+
+**Original:**
+```json
+{ "password": 123456 }
+```
+
+**Captured:**
+```json
+{ "password": "[REDACTED]" }
+```
+
+### 4. Array of Objects
+
+**Original:**
+```json
+{
+  "users": [
+    { "name": "John", "password": "pass1" },
+    { "name": "Jane", "password": "pass2" }
+  ]
+}
+```
+
+**Captured:**
+```json
+{
+  "users": [
+    { "name": "John", "password": "[REDACTED]" },
+    { "name": "Jane", "password": "[REDACTED]" }
+  ]
+}
+```
+
+---
+
+## Verification
+
+### Test Your Redaction
+
+1. **Enable body capture:**
+   ```bash
+   SECURENOW_CAPTURE_BODY=1
+   ```
+
+2. **Make a test request:**
+   ```bash
+   curl -X POST http://localhost:3000/api/test \
+     -H "Content-Type: application/json" \
+     -d '{"username":"test","password":"secret123"}'
+   ```
+
+3. **Check SigNoz:**
+   - Find the trace
+   - Look for `http.request.body`
+   - Verify password shows `[REDACTED]`
+
+### Debug Redaction
+
+Enable debug logging:
+```bash
+OTEL_LOG_LEVEL=debug npm run dev
+```
+
+You'll see:
+```
+[securenow] 📝 Request body capture: ENABLED (max: 10240 bytes, redacting 23 sensitive fields)
+```
+
+---
+
+## 🎉 Summary
+
+**Redaction works on ALL content types:**
+
+| Type | Redaction | Method |
+|------|-----------|--------|
+| **JSON** | ✅ Yes | Object property matching |
+| **GraphQL** | ✅ Yes | Regex pattern matching |
+| **Form Data** | ✅ Yes | Parsed then object matching |
+| **Multipart** | ❌ N/A | Not captured at all |
+
+**Protection:**
+- 20+ built-in sensitive fields
+- Custom fields support
+- Case-insensitive matching
+- Substring matching (e.g., "password" matches "user_password")
+- Recursive (works at any nesting level)
+- Fast (< 1ms overhead)
+
+**Your data is safe!** 🔒
+