Skip to main content

Masked Settings

Since v2.48.0

It is a common security practice to never log sensitive data. To support this practice, Gwen will hide all settings that you flag as "masked" by logging their values as ***** in all logs, reports, error messages and console outputs.

Flagging masked settings

To flag a setting as masked, append :masked to its defined name.

For example, to access a password stored in an environemnt variable named USER_PASSOWRD, you can read it into a masked setting named user.password as follows:

  user {
"password:masked" = "${env.USER_PASSWORD}"

Using masked settings

To use a masked setting, just reference it anywhere you need to using it's name (excluding the :masked suffix).


  When I enter "${user.password}" in the password field

When evaluated, the above will be logged as follows in all outputs:

  When I enter "*****" in the password field
Sample outputs

Console output

Example masked setting logged to console

HTML report output

Example masked setting logged to HTML report


It is your resposibility to enter sensitive data such as passwords into password protected fields to prevent them from being displayed in the browser.

Custom mask character

You can change the default mask character from * to another character of your choice by assigning it to the gwen.mask.char setting.