Skip to content

fix(httpdump): redact sensitive headers in request and response dumps#695

Open
fallintoplace wants to merge 1 commit into
openai:mainfrom
fallintoplace:fix/redact-http-dump-headers
Open

fix(httpdump): redact sensitive headers in request and response dumps#695
fallintoplace wants to merge 1 commit into
openai:mainfrom
fallintoplace:fix/redact-http-dump-headers

Conversation

@fallintoplace

@fallintoplace fallintoplace commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Why

HTTP dumps produced for API errors and debug logging could include sensitive header values. That could expose bearer tokens, API keys, organization and project identifiers, webhook signatures, or cookie values in logs.

What changed

  • Add one case-insensitive redaction helper for sensitive headers.
  • Apply it to API error request/response dumps and option debug logging.
  • Restore the original header maps after dumping so live requests and responses are not mutated.
  • Add coverage for sensitive and non-sensitive headers, including manually constructed non-canonical header names.

Validation

  • go test ./internal/apierror ./internal/httpdump ./option

@fallintoplace fallintoplace requested a review from a team as a code owner June 26, 2026 22:28
@fallintoplace fallintoplace changed the title Redact sensitive headers in HTTP dump helpers fix(httpdump): redact sensitive headers in request and response dumps Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant