From 2ad511c1fbe5775adca9ba49ac6ad2b20d9df069 Mon Sep 17 00:00:00 2001
From: OpenClaw Agent <agent@openclaw.dev>
Date: Mon, 30 Mar 2026 04:43:45 +0000
Subject: [PATCH] admin: redact sensitive request headers in API logs

The admin API handler was logging request headers using zap.Reflect,
which serializes the raw header map without any redaction. This could
expose sensitive headers like Cookie, Set-Cookie, Authorization, and
Proxy-Authorization in logs.

This change uses LoggableHTTPHeader instead, which redacts these
sensitive headers unless ShouldLogCredentials is explicitly enabled.
This is consistent with how headers are logged everywhere else in the
codebase.

Fixes #7566
---
 admin.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/admin.go b/admin.go
index 9c9102120..5e1d6ff26 100644
--- a/admin.go
+++ b/admin.go
@@ -45,6 +45,8 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
+
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 )
 
 // testCertMagicStorageOverride is a package-level test hook. Tests may set
@@ -800,7 +802,7 @@ func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		zap.String("uri", r.RequestURI),
 		zap.String("remote_ip", ip),
 		zap.String("remote_port", port),
-		zap.Reflect("headers", r.Header),
+		zap.Object("headers", caddyhttp.LoggableHTTPHeader{Header: r.Header}),
 	)
 	if r.TLS != nil {
 		log = log.With(