Skip to content

fix(pii): Scrub API key headers with hyphens (e.g. x-api-key)#5829

Open
JoshFerge wants to merge 2 commits intomasterfrom
jferg/fix-api-key-hyphen-scrubbing
Open

fix(pii): Scrub API key headers with hyphens (e.g. x-api-key)#5829
JoshFerge wants to merge 2 commits intomasterfrom
jferg/fix-api-key-hyphen-scrubbing

Conversation

@JoshFerge
Copy link
Copy Markdown
Member

@JoshFerge JoshFerge commented Apr 13, 2026
edited
Loading

Summary

  • The PASSWORD_KEY_REGEX in relay-pii matched api_key (underscore) and apikey (no separator) but not api-key (hyphen), meaning HTTP headers like Anthropic's x-api-key were not scrubbed by default data scrubbing
  • Updated the regex to use api[-_]key to cover all separator variants
  • Also updated private_keyprivate[-_]key for consistency (matches the existing two[-_]factor pattern)

Test plan

  • Added test_api_key_header_scrubbing test covering x-api-key, api-key, api_key, apikey, and X-Api-Key
  • All 248 existing relay-pii tests pass with no regressions
  • Snapshot confirms all variants produce [Filtered]

@JoshFerge
fix(pii): Scrub API key headers with hyphens (e.g. x-api-key)
c8a1736 
The PASSWORD_KEY_REGEX matched `api_key` and `apikey` but not `api-key`,
so HTTP headers like Anthropic's `x-api-key` were not scrubbed by default
data scrubbing. Update the regex to use `api[-_]key` (and `private[-_]key`
for consistency) to cover hyphenated header names.
@JoshFerge JoshFerge marked this pull request as ready for review April 13, 2026 19:20
@JoshFerge JoshFerge requested a review from a team as a code owner April 13, 2026 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sehr-m sehr-m sehr-m approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JoshFerge @sehr-m