CERBERUS/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-05-13 09:06:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

admin: redact sensitive request headers in API logs

Browse source 
The admin API handler was logging request headers using zap.Reflect,
which serializes the raw header map without any redaction. This could
expose sensitive headers like Cookie, Set-Cookie, Authorization, and
Proxy-Authorization in logs.

This change uses LoggableHTTPHeader instead, which redacts these
sensitive headers unless ShouldLogCredentials is explicitly enabled.
This is consistent with how headers are logged everywhere else in the
codebase.

Fixes #7566
This commit is contained in:
OpenClaw Agent 2026-03-30 04:43:45 +00:00
parent 30b80bece8
commit 2ad511c1fb
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
admin.go
View file

@ -45,6 +45,8 @@ import (
"github.com/prometheus/client_golang/prometheus"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
)
// testCertMagicStorageOverride is a package-level test hook. Tests may set
@ -800,7 +802,7 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
zap.String("uri", r.RequestURI),
zap.String("remote_ip", ip),
zap.String("remote_port", port),
zap.Reflect("headers", r.Header),
zap.Object("headers", caddyhttp.LoggableHTTPHeader{Header: r.Header}),
)
if r.TLS != nil {
log = log.With(