Security & Validation

Secret Masking Policy

The Secret Masking policy searches for and masks common secrets and replaces them with a placeholder. Secrets that are automatically masked include:

Zuplo API keys
GitHub Tokens and Personal Access Tokens
Private key blocks
And more!

See the policy documentation for a full description of secrets that are masked via this policy.

This is especially useful as an outbound policy for MCP servers, APIs that interface with user generated content, or AI consumers.

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{
  "name": "my-secret-masking-outbound-policy",
  "policyType": "secret-masking-outbound",
  "handler": {
    "export": "SecretMaskingOutboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "additionalPatterns": [],
      "mask": "[REDACTED]"
    }
  }
}
json

Policy Configuration

name <string> - The name of your policy instance. This is used as a reference in your routes.
policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be secret-masking-outbound.
handler.export <string> - The name of the exported type. Value should be SecretMaskingOutboundPolicy.
handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

mask <string> - The string to replace detected secrets with. Defaults to "[REDACTED]".
additionalPatterns <string[]> - Extra regex patterns for secrets to mask.

Using the Policy

This policy masks sensitive secrets in outgoing requests to prevent exposure to downstream consumers. This is especially useful for AI agents and MCP clients (where LLMs should not consume potentially sensitive user generated information or poisoned agents are attempting to leak information they have access to).

Configuration

mask: The mask to use when redacting information. Default: [REDACTED]
additionalPatterns: Additional Regex patterns to mask secrets with (make sure to correctly escape "meta escape" characters: i.e., \b should be escaped \\b to avoid a JSON parsing error. Otherwise, you may see build errors).

Usage

Apply this policy to outbound requests in your route configuration:

{
  "policies": [
    {
      "name": "secret-masking-policy",
      "policyType": "secret-masking-outbound",
      "handler": {
        "export": "SecretMaskingOutboundPolicy",
        "module": "$import(@zuplo/runtime)",
        "options": {
          "mask": "<SECRET MASKED>",
          "additionalPatterns": ["\\b(\\w+)=\\w+\\b"]
        }
      }
    }
  ]
}
json

Masked secrets

Zuplo API keys (i.e. zpka_xxx)
GitHub Tokens and Personal Access Tokens (i.e. ghp_xxx)
Private key blocks (i.e. BEGIN PRIVATE KEY and END PRIVATE KEY)