Dmytro Sylaiev created CXF-9082: ----------------------------------- Summary: SENSITIVE_HEADERS list is hardcoded Key: CXF-9082 URL: https://issues.apache.org/jira/browse/CXF-9082 Project: CXF Issue Type: Improvement Affects Versions: 3.6.4, 3.5.9 Reporter: Dmytro Sylaiev
The org.apache.cxf.transport.http.Headers from cxf-rt-transports-http.jar contains a behavior to mask sensitive headers when print them to a log until the ALLOW_LOGGING_SENSITIVE_HEADERS property is set to true. But the issue here is that the list of sensitive headers is private final and there's no public getter to modify the list and contains only 2 values ("Authorization", "Proxy-Authorization") When you're using httpclient with some Api-Key auth or the request has any sensitive information besides this 2 headers, they would be printed to the debug console. -- This message was sent by Atlassian Jira (v8.20.10#820010)