From ddf80103421587de79fcf9a6fa33f7e3a417d0d1 Mon Sep 17 00:00:00 2001
From: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Date: Tue, 27 Sep 2022 15:35:41 -0400
Subject: [PATCH] docs: clarify json types and workaround (#17318)

* docs: clarify json types and workaround

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
---
 website/content/docs/audit/index.mdx | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/website/content/docs/audit/index.mdx b/website/content/docs/audit/index.mdx
index f9def4d045..bc2210bf06 100644
--- a/website/content/docs/audit/index.mdx
+++ b/website/content/docs/audit/index.mdx
@@ -32,9 +32,10 @@ unique identifier assigned to each request.
 
 Most strings contained within requests and responses are hashed with a salt using HMAC-SHA256. The purpose of the hash is so that secrets aren't in plaintext within your audit logs. However, you're still able to check the value of secrets by generating HMACs yourself; this can be done with the audit device's hash function and salt by using the `/sys/audit-hash` API endpoint (see the documentation for more details).
 
-Note that currently only strings coming from JSON or being returned in JSON are
+~>** Note:** Currently, only strings that come from JSON or returned in JSON are
 HMAC'd. Other data types, like integers, booleans, and so on, are passed
-through in plaintext.
+through in plaintext. We recommend that all sensitive data be provided as string values
+inside all JSON sent to Vault (i.e., that integer values are provided in quotes).
 
 While most strings are hashed, Vault does make some exceptions, such as auth and secrets, and users can enable additional exceptions using the [secrets enable](/docs/commands/secrets/enable) command, and then tune it afterward.