Redact Passwords in URL Strings
Detect and redact passwords embedded in URLs, including database connections, SMTP servers, proxy configurations, and authenticated API endpoints. Keep URLs functional.
Detailed Explanation
Redacting Passwords from URLs
Passwords embedded in URLs are a legacy practice that persists in many systems. Database connection strings, SMTP configurations, proxy settings, and some API endpoints include credentials directly in the URL. These passwords must be redacted before the URL is shared, logged, or displayed.
URL Authentication Format
The URI standard (RFC 3986) defines the userinfo component:
scheme://username:password@host:port/path?query#fragment
└──────────────┘
userinfo (credentials)
Common URL Types with Embedded Passwords
# Database connections
postgresql://dbadmin:MyP@ssw0rd!@prod-db.internal:5432/appdb
mongodb+srv://root:MongoS3cret@cluster0.abc123.mongodb.net/db
# SMTP
smtp://notifications:EmailP@ss123@smtp.provider.com:587
# Proxy
http://proxyuser:Pr0xyP@ss@proxy.corporate.com:8080
# Authenticated APIs
https://api_user:api_secret@api.service.com/v1/data
# Git remotes
https://developer:ghp_token123@github.com/org/repo.git
Detection and Redaction
The redactor identifies the ://username:password@ pattern and replaces the password portion:
# Before
postgresql://dbadmin:MyP@ssw0rd!@prod-db.internal:5432/appdb
# After
postgresql://dbadmin:[REDACTED]@prod-db.internal:5432/appdb
Challenges with URL Password Detection
Password redaction in URLs faces several challenges:
- Special characters — Passwords may contain
@,:,/which are URL-significant. They should be percent-encoded (%40,%3A) but often are not - Nested URLs — A URL parameter may contain another URL with credentials
- No password indicator — Some URLs use only a token without a username:
redis://:password@host - Query parameter credentials — Some systems pass credentials as query parameters:
?password=secret
Best Practices
- Never log full URLs — Configure your application to strip credentials before logging
- Use connection poolers — Database connection poolers like PgBouncer can centralize credential management
- Environment variables — Store credentials separately and construct URLs at runtime
- Secret managers — Use tools like HashiCorp Vault or AWS Secrets Manager instead of URL-embedded passwords
Use Case
A DevOps team is auditing their Docker Compose files across multiple services. Many compose files contain database URLs, SMTP credentials, and proxy configurations with embedded passwords. Running each file through the Secret Redactor produces sanitized versions that can be checked into a documentation repository as configuration references.