Critical security fix - Extra fields added to request post ignore list (#6)

* [#3] Ensure valid json for header field values

* Allow for custom post request ignore fields

This also fixes a critical security bug that can expose django
registration password information to the logs (password1 and password2)

Author: andrewebdev

auditing/middlewares.py

@@ -21,7 +21,10 @@
                                    'AUDIT_RESPONSE_HTTPCODES',
                                    [i.value for i in http.HTTPStatus
                                     if i not in (200,201,202,301,302)] )
-AUDIT_REQUEST_POST_IGNORED = ('password', )
+
+AUDIT_REQUEST_POST_IGNORED = getattr(settings,
+                                     'AUDIT_REQUEST_POST_IGNORED',
+                                     ('password', 'password1', 'password2'))
 
 
 class HttpHeadersLoggingMiddleware(MiddlewareMixin):