Since Metlo is self hosted, all of your data stays in your servers. The only data that Metlo collects is api trace data to discover endpoints, sensitive data and build model of API usage. Trace data is cleared from the Metlo's internal database every hour.
There may be some data you never want stored in Metlo's database (like passwords and API Keys). You can do this by specifying the fields you wouldn't like stored in the file called
metlo-config.yaml in the root directory before running docker-compose.
For example, if you wanted to disable collection for the password in a
POST request to
/login you would make the following rule under the
blockFields: test-ecommerce.metlo.com: /login: POST: disable_paths: - req.body.password
The key at the top level is the host you want to select, the second is the endpoint and the third is the method.
disable_paths is a list of the data that you don't want stored. In this case we don't want to store the password in the request body. The possible sections are:
If we wanted to disable this for all methods and not just
POST we can specify the
ALL key instead of the method.
blockFields: test-ecommerce.metlo.com: /login: ALL: disable_paths: - req.body.password
You can also use
ALL for the endpoint if you want to disable certain fields for all endpoints as well:
blockFields: test-ecommerce.metlo.com: ALL: disable_paths: - req.headers.X-API-KEY /login: POST: disable_paths: - req.body.password
Updated 2 months ago