Dmytro Sylaiev created CXF-9082:
-----------------------------------

             Summary: SENSITIVE_HEADERS list is hardcoded
                 Key: CXF-9082
                 URL: https://issues.apache.org/jira/browse/CXF-9082
             Project: CXF
          Issue Type: Improvement
    Affects Versions: 3.6.4, 3.5.9
            Reporter: Dmytro Sylaiev


The org.apache.cxf.transport.http.Headers from cxf-rt-transports-http.jar 
contains a behavior to mask sensitive headers when print them to a log until 
the  ALLOW_LOGGING_SENSITIVE_HEADERS property is set to true. 

But the issue here is that the list of sensitive headers is private final and 
there's no public getter to modify the list and contains only 2 values 
("Authorization", "Proxy-Authorization")

 

When you're using httpclient with some Api-Key auth or the request has any 
sensitive information besides this 2 headers, they would be printed to the 
debug console.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to