docs(sensitive-data): Overhaul docs around HTTP headers #15616
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
|
|
||
| - HTTP Headers: The keys of known sensitive headers (such as `Authorization` or `Cookie`) are added, while their values must be replaced with `"[Filtered]"`. | ||
|
|
||
| <Expandable title="List of sensitive HTTP headers"> |
There was a problem hiding this comment.
Let’s show all content instead.
|
|
||
| The SDK performs a **partial, case-insensitive match** against the following headers to determine if they are sensitive: | ||
|
|
||
| `['auth', 'token', 'secret', 'cookie', '-user', 'password', 'key', 'jwt', 'bearer', 'sso', 'saml']` |
There was a problem hiding this comment.
As the strings are partially matched, user-agent would also match if it is just user. -user would match e.g. x-user.
| and is **disabled by default**. That means that data that is naturally sensitive is not sent by default. | ||
|
|
||
| Some examples of data guarded by this flag: | ||
| Handling sensitive data in the SDK regardless of the `send_default_pii` setting: |
There was a problem hiding this comment.
| Handling sensitive data in the SDK regardless of the `send_default_pii` setting: | |
| Certain sensitive data must never been sent by the SDK, regardless of any config: |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| Certain sensitive data must never been sent by the SDK, regardless of any config: | ||
|
|
||
| - HTTP Headers: The keys of known sensitive headers are added, while their values must be replaced with `"[Filtered]"`. | ||
| - The SDK performs a **partial, case-insensitive match** against the following headers to determine if they are sensitive: `["auth", "token", "secret", "password", "passwd", "key", "jwt", "bearer", "sso", "saml", "crsf", "xsrf", "credentials"]` |
There was a problem hiding this comment.
Bug: CSRF misspelled as CRSF in sensitive header list
The sensitive header matching list includes "crsf" instead of "csrf". Since SDKs perform partial case-insensitive matching against this list to filter sensitive headers, the misspelling means headers containing csrf won't be detected and filtered. This allows CSRF tokens to be sent unfiltered to Sentry, exposing sensitive security credentials that should always be replaced with "[Filtered]".
|
|
||
| - HTTP Headers: The keys of known sensitive headers (such as `Authorization` or `Cookie`) are added, while their values must be replaced with `"[Filtered]"`. | ||
| - HTTP Headers: The keys of known sensitive headers are added, while their values must be replaced with `"[Filtered]"`. | ||
| - The SDK performs a **partial, case-insensitive match** against the following headers to determine if they are sensitive: `["auth", "token", "secret", "password", "passwd", "key", "jwt", "bearer", "sso", "saml", "crsf", "xsrf", "credentials"]` |
There was a problem hiding this comment.
| - The SDK performs a **partial, case-insensitive match** against the following headers to determine if they are sensitive: `["auth", "token", "secret", "password", "passwd", "key", "jwt", "bearer", "sso", "saml", "crsf", "xsrf", "credentials"]` | |
| - The SDK performs a **partial, case-insensitive match** against the following headers to determine if they are sensitive: `["auth", "token", "secret", "password", "passwd", "key", "jwt", "bearer", "sso", "saml", "csrf", "xsrf", "credentials"]` |
Co-authored-by: Michi Hoffmann <[email protected]>
| Certain sensitive data must never been sent by the SDK, regardless of any configuration: | ||
|
|
||
| - HTTP Headers: The keys of known sensitive headers are added, while their values must be replaced with `"[Filtered]"`. | ||
| - The SDK performs a **partial, case-insensitive match** against the following headers to determine if they are sensitive: `["auth", "token", "secret", "password", "passwd", "pwd", "key", "jwt", "bearer", "sso", "saml", "crsf", "xsrf", "credentials"]` |
There was a problem hiding this comment.
Bug: Typo in sensitive header pattern list
The sensitive header pattern list contains "crsf" instead of "csrf". This typo prevents SDKs from properly filtering Cross-Site Request Forgery headers during partial case-insensitive matching, potentially allowing sensitive CSRF tokens to be sent to Sentry unfiltered.
| In case, the SDK cannot parse each cookie key-value pair, the entire cookie header must be replaced with `"[Filtered]"`. An unfiltered, raw cookie header value must never be sent. | ||
|
|
||
| This selective filtering prevents capturing sensitive data while retaining harmless contextual information for debugging. | ||
| For example, a sensitive session cookie's value is replaced with "[Filtered]", but a non-sensitive theme cookie can be sent as-is. |
There was a problem hiding this comment.
What does "theme cookie" mean here?
There was a problem hiding this comment.
For setting the theme preference (dark/light etc). But I'll rewrite that a bit.
DESCRIBE YOUR PR
Being more explicit about which HTTP headers we consider as sensitive and how SDKs should handle the data.
IS YOUR CHANGE URGENT?
Help us prioritize incoming PRs by letting us know when the change needs to go live.
SLA
Thanks in advance for your help!
PRE-MERGE CHECKLIST
Make sure you've checked the following before merging your changes: