Security Best Practices

The PII Leak That Never Happened

During a security audit, our team reviewed traces in Jaeger and found:

{
  "traceId": "abc123...",
  "spans": [{
    "attributes": {
      "user.email": "[email protected]",
      "user.ssn": "123-45-6789",
      "credit_card.number": "4532-1234-5678-9010",
      "user.password": "MyP@ssw0rd!"
    }
  }]
}

We were logging PII (Personally Identifiable Information) in production traces!

This was a GDPR nightmare waiting to happen. Anyone with Jaeger access could see:

• Email addresses

• Social security numbers

• Credit card numbers

• Passwords (!)

The fix? Sanitize all telemetry data before export.

Rule #1: Never Log Sensitive Data

What Counts as Sensitive?

• PII: Email, phone, name, address, SSN, passport

• Credentials: Passwords, API keys, tokens, secrets

• Financial: Credit cards, bank accounts, transaction details

• Health: Medical records, diagnoses, prescriptions

• Proprietary: Trade secrets, internal algorithms, pricing

Automatic Redaction

Result

Before sanitization:

After sanitization:

Sanitizing HTTP Headers

HTTP headers often contain sensitive data:

Collector-Level Sanitization

Use the OpenTelemetry Collector to sanitize at the infrastructure level:

Securing Exporter Endpoints

TLS for Data in Transit

Bad: Plain HTTP

Good: HTTPS with TLS

Authentication

API Key authentication:

OAuth2 Bearer Token:

Access Control for Telemetry Data

Jaeger RBAC

Restrict access to traces:

Data Retention and Deletion

Jaeger Retention Policies

Automated Data Deletion

Compliance Considerations

GDPR Right to Deletion

Implement trace deletion by user ID:

SOC 2 Audit Trail

Log access to telemetry:

Environment-Specific Sanitization

Development: Less strict, more data for debugging

Security Checklist

• Sanitize PII before export

• Never log passwords, tokens, or secrets

• Use HTTPS/TLS for exporter endpoints

• Authenticate exporter connections

• Implement RBAC for Jaeger/observability tools

• Set data retention policies (7-30 days)

• Implement GDPR right-to-deletion

• Audit access to telemetry data

• Encrypt telemetry data at rest

• Review traces for sensitive data regularly

Real Security Incident

What happened: Developer accidentally logged entire request bodies, including credit card numbers.

Detection: Security scan of Jaeger found credit_card.number attribute.

Impact: 15,000 credit card numbers exposed in traces.

Response:

1. Immediately deleted all traces (7 days retention)

2. Deployed sanitizing exporter

3. Implemented Collector-level redaction

4. Added automated scanning for PII in traces

5. Notified affected customers (regulatory requirement)

Lesson: Defense in depth - sanitize at app, collector, and storage levels.

What's Next

Continue to Production Deployment to learn:

• Deploying at scale

• High availability setup

• Monitoring the monitoring system

• Runbooks and incident response

Previous: ← Performance Optimization | Next: Production Deployment →

Security first, observability second.