Last updated
Last updated
The Nightfall API is capable of returning a redacted version of your scanned text when a Detector is triggered.
This functionality allows you to hide potentially sensitive information while retaining the original context in which that information appeared.
In order to redact content, when you call the scan endpoint you must provide a RedactionConfig as part of the definition of your Detection Rule.
You may specify one of the following different methods to redact content:
apply (e.g. asterisks)
substitute a
substitute the triggered (referred to as "InfoType substitution")
use
A RedactionConfig is defined per Detector in a Detection Rule, allowing you to specify a different redaction method for each type of Detector in the rule.
By default, the redaction feature will return both the sensitive finding and the redacted version of that finding. You may set the removeFinding
field to true
if you want only the redacted version of the finding returned in the response.
Specifying a MaskConfig as part of your RedactionConfig substitutes a character for each character in the matched text. By default the masking character is an asterisk (*
). You may specify an alternate character to use instead (maskingChar
).
You may also choose to only mask a portion of the original text by specifying a number of characters to leave unmasked (numCharsToLeaveUnmasked
). For instance, if you want to mask all but the last 4 digits of a credit card number, set this value to 4 so that the redacted finding would be rendered as ***************4242
.
In the case where you want to leave characters unmasked at the front of the string you may use the maskLeftToRight
flag. This flag determines if masking is applied left to right (*****/1984
) instead of right to left (01/01*****
). By default, this value is false
.
Below is an example of how a RedactionConfig would be configured to redact the text that triggers a DATE_OF_BIRTH
Detector such that the text 01/11/1995
becomes ??/??/??95
The SubstitutionConfig substitutes a sensitive finding with the value assigned to the property substitutionPhrase
.
If no value is assigned to substitutionPhrase
, the finding will be replaced with an empty string.
It is possible to replace a sensitive finding with the name of the NIGHTFALL_DETECTOR
that triggered it by using an InfoTypeSubstitutionConfig.
If you use the built in credit card Detector, the string 4242-4242-4242-4242
will be redacted to [CREDIT_CARD_NUMBER]
This config is only valid for Detector's with a detectorType
of NIGHTFALL_DETECTOR
.
A CryptoConfig will encrypt a sensitive finding with a public key (provided as the publicKey
property of the config) using RSA encryption.
Note that you are responsible for passing public keys for encryption and handling any decryption of the response payload. Nightfall will not store your keys.
Below is an example of a CryptoConfig being used to redact an EMAIL_ADDRESS
detector.
The original input payload with redactions made inline are returned as a list of strings under the redactedPayload
property. Each item in the list of redacted payloads corresponds to the list of strings in the original input payload and, if a Detector was triggered, it will contain a redacted version of that corresponding string.
If an item in the input payload did not have any findings, the entry for that index will be an empty string ("").
The redactedPayload
property is omitted if no RedactionConfig was provided.
Additionally, the fields redactedFinding
and redactedLocation
are added to the finding
object when the redaction feature is invoked.
The redactedFinding
field contains the redacted version of only the text of the finding without its surrounding context. This is useful when you are masking a portion of the text that triggered a Detector.
The redactedLocation
property will be returned as part of the finding that corresponds to an item in the payload. This may be distinct from the location
property that is returned for a finding by default.
In the unlikely case where there are findings that overlap, Nightfall will default to replacing the text of the overlapping findings with [REDACTED BY NIGHTFALL]
.
The following example shows how the redaction functionality may be invoked, with a variety of different redaction methods applied to the different Detectors being used.
You can see in the response how the RedactionConfig associated with the various Detectors affects the different findings.
Note that because the 2nd item the payload matches multiple detectors, the redacted text in the redactedPayload
property becomes [REDACTED BY NIGHTFALL]
The results of applying redactions are returned in the response payload for requests made to the as both part of an array named redactedPayload
as well as additional properties of the finding
object.