Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wai-extra: redact Authorization header when logging a request #950

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

austin-artificial
Copy link

The Authorization request header normally contains sensitive data which we probably don't want to log.

This redacts it in a similar way to what is done for cookies.

Happy to bump the version number if needed and add a changelog if the idea is approved.

Before submitting your PR, check that you've:

After submitting your PR:

  • Update the Changelog.md file with a link to your PR
  • Check that CI passes (or if it fails, for reasons unrelated to your change, like CI timeouts)

This is similar to what is done for cookies
@Vlix
Copy link
Contributor

Vlix commented Nov 30, 2023

I don't see any problem with this change 🤔

When using a default logger, you'd probably want to err on the safe side, so not leak credentials. If anyone wants to log delicate data, they can implement it themselves.

I'd appreciate a bump in version, update to the ChangeLog and maybe find where describing this redaction (and maybe also the cookie redaction) would make sense and add it there?

EDIT: I just saw Snoyberg's comment on this exact change in #792 and they feel it's a major version bump. And I can see the reasoning behind that. It might be better to just provide a version of this function that takes a function to redact certain header values?

-- | Like 'requestHeadersToJSON', but takes a list of 'HeaderName's to redact
requestHeadersToJSONRedact :: [HeaderName] -> RequestHeaders -> Value
...

requestHeadersToJSON :: RequestHeaders -> Value
requestHeadersToJSON = requestHeadersToJSONRedact [hCookie]

🤷 Something like that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants