Knowledge
Search knowledge... ⌘K
Knowledge · Guidelines · go
Api Credential Masking
How to mask credentials in Go API response payloads
Metadata
go go recommended
Procedures
Showing 3 of 4
- 1 Identify credential fields in response structs
Any struct with Password, SecretKey, AccessKey, Token, or APIKey fields needs masking
type ConnectionConfig struct { Password string SecretAccessKey string } - 2 Create a masked copy before JSON serialization
Never modify the original struct. Create a copy and mask the sensitive fields
masked := config masked.Password = "••••••••" masked.SecretAccessKey = "••••••••" json.NewEncoder(w).Encode(masked)
- 3 Apply masking in the API handler, not the service layer
Service layer returns full data. Handler masks before serialization. This keeps service testable.
// Handler (SI layer) — mask here func handleGetConnection(w http.ResponseWriter, r *http.Request) { config, err := service.GetConnection(name) masked := maskCredentials(config) json.NewEncoder(w).Encode(masked) }
Tools
- Go net/http
- Go httptest
References
- external OWASP API Security Top 10 — API3 Excessive Data Exposure