Safe Logging Practices for Tor Onion Services

Before configuring what to log, understand what must never be logged. On a Tor hidden service, all connections arrive from 127.0.0.1 (the local Tor daemon), so traditional IP logging is already neutralized. However, several other data points can deanonymize visitors or compromise your service:

• User-Agent strings — Tor Browser uses a standardized User-Agent, but logging it can still fingerprint non-standard Tor clients or reveal when a visitor is not using Tor Browser.
• Exact timestamps — Precise request timestamps combined with traffic analysis can correlate visitors across multiple .onion services. Round timestamps to the nearest hour or day.
• Request paths with query parameters — Query strings may contain search terms, session IDs, or other identifying information. Log paths only if necessary, and strip query parameters.
• Referrer headers — These reveal which page the user came from, potentially linking their activity across multiple .onion sites.
• Cookie values — Session cookies or tracking cookies should never appear in logs.

The principle is data minimization — log only what you absolutely need for operational purposes, and nothing that could identify or track individual visitors.

Configure Nginx with a custom log format that captures operational metrics without identifying information:

# /etc/nginx/nginx.conf — Privacy-preserving log format

# Custom log format — no IP, no User-Agent, rounded timestamps
log_format privacy '[$time_iso8601] $status $body_bytes_sent '
                   '"$request_method $uri" $request_time';

# Alternatively, disable access logs entirely
# access_log off;

server {
    listen 127.0.0.1:8080;

    # Use privacy-preserving log format
    access_log /var/log/nginx/onion-access.log privacy;

    # Rotate and delete logs frequently
    # Or write to a tmpfs mount that is cleared on reboot
    # access_log /dev/shm/onion-access.log privacy;

    error_log /var/log/nginx/onion-error.log error;
}

The privacy log format includes only the HTTP status code, response size, request method, URI path (without query string), and response time. This gives you enough data to identify errors, performance issues, and traffic patterns without recording anything about individual visitors.

For maximum privacy, write logs to /dev/shm/ (a tmpfs RAM disk) so they are automatically destroyed on reboot and never written to persistent storage.

Configure your application framework to follow the same data minimization principles. Here are examples for common frameworks:

# Python/Flask — Privacy-preserving logging
import logging
from datetime import datetime

class PrivacyFilter(logging.Filter):
    def filter(self, record):
        # Strip any IP addresses from log messages
        record.msg = record.msg.replace('127.0.0.1', '[local]')
        # Round timestamps to the nearest hour
        record.created = int(record.created / 3600) * 3600
        return True

logger = logging.getLogger('onion_app')
logger.addFilter(PrivacyFilter())

# Log only errors and operational events
logger.error('Database connection failed')
logger.info('Application started')
# NEVER log: request headers, cookies, user data, search queries

# Node.js/Express — Minimal logging
const morgan = require('morgan');

// Custom token that only logs status and response time
morgan.token('minimal', (req, res) => {
  return `${res.statusCode} ${req.method} ${req.path} ${res.getHeader('content-length') || 0}b`;
});

app.use(morgan(':minimal'));

Never log request bodies, authentication tokens, or form submissions. If you need to debug specific issues, enable verbose logging temporarily and delete the logs immediately after investigation.

AnubizHost configures all managed Tor hosting plans with privacy-preserving logging by default. Nginx access logs are disabled, error logs write to volatile storage, and no visitor data is recorded to disk at any layer of the stack.

Our offshore servers in Iceland, Romania, and Finland operate under strict no-logging policies at the infrastructure level. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification. AnubizHost ensures that privacy is maintained from sign-up through daily operation, protecting both you and your visitors.