Prevent cookie being logged to azure web app linux HTTP logs

I am running a NodeJS application, hosted in a Linux Azure Web App. I have set up diagnostic logs for HTTP Logs to be forwarded to a Log Analytics Workspace and having looked at the logs I can see there's cookies included by default.

I would ideally like to control which cookies are included in the HTTP logs or prevent cookies being logged at all. I haven't found any documentation on configuring the HTTP logs, and the diagnostic setting is just on or off for that log category.

Is there anything I can do to control the HTTP log content? Thanks

I would ideally like to control which cookies are included in the HTTP logs or prevent cookies being logged at all.

Azure App Service diagnostic logging doesn’t currently allow direct control over which headers or cookies appear in HTTP logs.

• Azure’s HTTP logs automatically record all incoming headers, including cookies, without any way to mask or exclude specific values, which can result in sensitive cookie data being stored in the logs.

At the application level, we can add middleware in our Node.js app to intercept and mask sensitive cookies before they get logged.

I've added middleware to the code that checks each cookie in the request and replaces sensitive cookie values with [FILTERED].

app.use((req, res, next) => {
    console.log("Middleware is running");  

    if (req.headers.cookie) {
      
        const maskedCookies = req.headers.cookie.split(';').map(cookie => {
            const [name, value] = cookie.split('=');
            if (sensitiveCookies.includes(name.trim())) {
                return `${name}=[FILTERED]`;
            }
            return cookie;
        });
       
        req.headers.cookie = maskedCookies.join('; ');

        console.log("Masked Cookies:", req.headers.cookie);

Complete app.js code:

const express = require('express');
const app = express();

const sensitiveCookies = ["SensitiveCookie", "AnotherCookie"];

app.use((req, res, next) => {
    console.log("Middleware is running");  

    if (req.headers.cookie) {
        
        const maskedCookies = req.headers.cookie.split(';').map(cookie => {
            const [name, value] = cookie.split('=');
            if (sensitiveCookies.includes(name.trim())) {
                return `${name}=[FILTERED]`;
            }
            return cookie;
        });
        
        req.headers.cookie = maskedCookies.join('; ');

       
        console.log("Masked Cookies:", req.headers.cookie);
    } else {
        console.log("No cookies in request"); 
    }
    next();
});

app.get('/', (req, res) => {
    res.send("Hello, your app is running!");
});
const port = process.env.PORT || 3000;
app.listen(port, () => {
    console.log(`Server is running on port ${port}`);
});

This approach ensures that sensitive cookie values are not exposed.

Local output:

Output after deployment:

Other Alternative approaches for masking sensitive data :

• Forward Logs to Azure Event Hubs
  • You can configure Azure to send logs to an intermediary service, like Event Hubs or Log Analytics, where a custom pipeline or Azure Function can mask sensitive information before final storage. refer this doc1, doc2 for better understanding.
• Use Application Insights Telemetry Processor