Skip to main content

Decision Masking

Decision masking allows you to remove information from each decision before it gets logged by OPA in Styra DAS. The system.log package in the System's Policy bundle defines decision masking rules. When you add an Envoy System, an example decision masking policy is automatically added to your system. You can view and modify this policy through the Styra DAS UI in system/log/mask.rego.

Decision masking can also be defined at the Stack level. See Decision Masking for additional information.

note

For Envoy Stack types, the default decision masking policy is located under system/log/log.rego.

Additional information on decision masking in Styra DAS can be found in Decision Logs - Decision Masking.

Example Policy

The following example shows the default decision masking policy added to an Envoy System. This policy instructs OPA to remove the token and authorization headers from requests before logging decisions.

package system.log

mask["/input/request/http/headers/token"]
mask["/input/attributes/request/http/headers/authorization"]