Sensitive headers (Authorization, Cookie) should not be recorded in spans by default #69
Description
The plugin currently records all request headers as span attributes (http.request.header.*) and all cookies as http.request.cookie, with no filtering or opt-in mechanism. The only header excluded is user-agent.
This means Authorization, Cookie, Set-Cookie, and other sensitive headers are written into every span by default, which is a security concern — especially when traces are exported to third-party backends.
The OpenTelemetry HTTP semantic conventions state:
Instrumentations SHOULD by default only add sanitized, non-sensitive headers. Instrumentations MAY offer a configuration option to opt into recording sensitive headers.
Suggested fix
Add a configurable deny-list (defaulting to at least authorization, cookie, set-cookie, proxy-authorization) or switch to an opt-in allow-list for header recording. This aligns with how other OTel HTTP instrumentations handle it (e.g., @opentelemetry/instrumentation-http has headersToSpanAttributes which is opt-in).
Where in the source
In src/index.ts, the onTransform hook iterates over all headers and writes them unconditionally:
for (let [key, value] of _headers) {
key = key.toLowerCase()
if (hasHeaders) {
if (key === 'user-agent') continue
// Everything else — including authorization, cookie — goes straight in
attributes[`http.request.header.${key}`] = value
continue
}
// ...
}And cookies are also recorded without any filtering:
if (cookie) {
const _cookie = <Record<string, string>>{}
for (const [key, { value }] of Object.entries(cookie))
_cookie[key] = JSON.stringify(value)
attributes['http.request.cookie'] = JSON.stringify(_cookie)
}Related
- Open Telemetry is exposing secrets elysia#925 — "Open Telemetry is exposing secrets" (closed without upstream fix; reporter used a
RedactingSpanExporterworkaround)