Edit

Share via

URI query redaction in HttpClient EventSource events

  • Article

In .NET 9, the default behavior of EventSource events emitted by HttpClient and SocketsHttpHandler (EventSource name: System.Net.Http) has been modified to scrub query strings. This change enhances privacy by preventing the logging of potentially sensitive information contained in query strings. If necessary, you can override this behavior.

Version introduced

.NET 9 Preview 7

Previous behavior

Previously, events emitted by HttpClient and SocketsHttpHandler included query string information, which could inadvertently expose sensitive information.

New behavior

With the change in dotnet/runtime#104741, query strings are replaced by a * character in HttpClient and SocketsHttpHandler events, by default. This change affects specific events and parameters such as pathAndQuery in RequestStart and redirectUri in Redirect.

Type of breaking change

This change is a behavioral change.

Reason for change

The primary reason for this change was to enhance privacy by reducing the risk of sensitive information being logged inadvertently. Query strings often contain sensitive data, and redacting them from logs by default helps protect this information.

If you need query string information when consuming HttpClient or SocketsHttpHandler events and you're confident that it's safe to do so, you can enable query string logging globally by setting an AppContext switch in one of three ways:

  • In the project file.

    <ItemGroup>
  <RuntimeHostConfigurationOption Include="System.Net.Http.DisableUriRedaction" Value="true" />
</ItemGroup>

  • In the runtimeconfig.json file.

    {
    "runtimeOptions": {
        "configProperties": {
            "System.Net.Http.DisableUriRedaction": true
        }
    }
}

  • Through an environment variable.

    Set DOTNET_SYSTEM_NET_HTTP_DISABLEURIREDACTION to true or 1.

Otherwise, no action is required, and the default behavior will help enhance the privacy aspects of your application.

Note

This switch also disables query string redaction in the default IHttpClientFactory logs. For more information, see URI query redaction in IHttpClientFactory logs.

Affected APIs