Compliance Readiness

DRF API Logger can be used in regulated environments, but compliance depends on deployment configuration, database controls, retention policies, and the data your APIs send through the logger. This guide covers the package-level controls that help reduce production risk.

Data Minimization

Use the request and response body size settings to avoid storing unnecessary payloads:

DRF_API_LOGGER_MAX_REQUEST_BODY_SIZE = 32768
DRF_API_LOGGER_MAX_RESPONSE_BODY_SIZE = 65536

Set either value to 0 when the body should never be stored. Oversized bodies are replaced with a truncation marker that records the observed byte size and configured limit.

Sensitive Data Masking

The logger masks sensitive keys recursively in request bodies, response bodies, headers, and URL query parameters. Default coverage includes passwords, tokens, authorization headers, cookies, API keys, session IDs, CSRF tokens, and common secret field names.

Add organization-specific fields with:

DRF_API_LOGGER_EXCLUDE_KEYS = [
    'ssn',
    'credit_card',
    'patient_id',
    'customer_secret',
]

Matching is case-insensitive and treats hyphens and underscores equivalently, so X-API-Key and x_api_key are both masked.

Custom Redaction

For domain-specific policies, use a custom handler to transform or drop log records before they enter the background queue:

DRF_API_LOGGER_CUSTOM_HANDLER = 'myapp.logging.redact_api_log'

def redact_api_log(data):
    data['headers'].pop('AUTHORIZATION', None)
    if data['api'].endswith('/health/'):
        return None
    return data

Returning None intentionally drops that log entry.

Storage Controls

For production and compliance-sensitive systems:

  • Use DRF_API_LOGGER_DEFAULT_DATABASE to write logs to a dedicated database.

  • Enable encryption at rest and backups on the database platform.

  • Limit database and Django admin access with least-privilege roles.

  • Define retention and deletion jobs for old log rows.

  • Avoid storing request or response bodies for endpoints that handle regulated data unless there is a documented business need.

Profiling Controls

Profiling is disabled by default. If enabled in high-traffic production systems, sample it:

DRF_API_LOGGER_ENABLE_PROFILING = True
DRF_API_LOGGER_PROFILING_SQL_TRACKING = True
DRF_API_LOGGER_PROFILING_SAMPLE_RATE = 0.1

This keeps request-level performance visibility while reducing overhead and stored diagnostic volume.

Operational Checks

Monitor the logger worker backlog through LOGGER_THREAD.get_status() and alert when queue_backlog grows continuously. A rising backlog usually means the logging database cannot keep up with write volume.

Compliance Mapping

The package provides controls that support common privacy and security programs:

Requirement Area

Package Support

Data minimization

Body limits, truncation markers, custom handler drops

Sensitive data protection

Recursive masking for bodies, headers, and URL query parameters

Access control

Dedicated log database support through Django database aliases

Retention

Timestamped log model suitable for scheduled retention jobs

Auditability

Request metadata, status code, execution time, tracing IDs, and profiling data

These controls do not by themselves certify GDPR, HIPAA, PCI DSS, SOC 2, or ISO 27001 compliance. Treat them as implementation controls inside your broader governance, risk, and compliance process.