Dmytro Sylaiev created CXF-9082:
-----------------------------------
Summary: SENSITIVE_HEADERS list is hardcoded
Key: CXF-9082
URL: https://issues.apache.org/jira/browse/CXF-9082
Project: CXF
Issue Type: Improvement
Affects Versions: 3.6.4, 3.5.9
Reporter: Dmytro Sylaiev
The org.apache.cxf.transport.http.Headers from cxf-rt-transports-http.jar
contains a behavior to mask sensitive headers when print them to a log until
the ALLOW_LOGGING_SENSITIVE_HEADERS property is set to true.
But the issue here is that the list of sensitive headers is private final and
there's no public getter to modify the list and contains only 2 values
("Authorization", "Proxy-Authorization")
When you're using httpclient with some Api-Key auth or the request has any
sensitive information besides this 2 headers, they would be printed to the
debug console.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
