Security considerations of using Expression Language for sensitive properties

Allowing Expression Language for a property has the advantage of configuring the property dynamically via FlowFile attributes or Variable Registry entries. In case of sensitive properties, it also has a drawback of exposing sensitive information like passwords, security keys or tokens. When the value of a sensitive property comes from a FlowFile attribute, it travels by the FlowFile in clear text form and is also saved in the provenance repository. Variable Registry does not support the encryption of sensitive information either. Due to these, the sensitive credential data can be exposed to unauthorized parties.

Best practices for using Expression Language for sensitive properties: