getsentry · s1gr1d · Nov 24, 2025 · Nov 25, 2025 · Nov 25, 2025 · Nov 25, 2025
diff --git a/develop-docs/sdk/expected-features/data-handling.mdx b/develop-docs/sdk/expected-features/data-handling.mdx
@@ -13,11 +13,22 @@ In the event that API returns data considered PII, we guard that behind a flag c
 This is an option in the SDK called [_send-default-pii_](https://docs.sentry.io/platforms/python/configuration/options/#send-default-pii)
 and is **disabled by default**. That means that data that is naturally sensitive is not sent by default.
 
-Some examples of data guarded by this flag:
+Handling sensitive data in the SDK regardless of the `send_default_pii` setting:
-Handling sensitive data in the SDK regardless of the `send_default_pii` setting:
+Certain sensitive data must never been sent by the SDK, regardless of any config:
-Handling sensitive data in the SDK regardless of the `send_default_pii` setting:
+Certain sensitive data must never been sent by the SDK, regardless of any config:
+
+- HTTP Headers: The keys of known sensitive headers (such as `Authorization` or `Cookie`) are added, while their values must be replaced with `"[Filtered]"`.
+
+<Expandable title="List of sensitive HTTP headers">
+
+  The SDK performs a **partial, case-insensitive match** against the following headers to determine if they are sensitive:
+
+  `['auth', 'token', 'secret', 'cookie', '-user', 'password', 'key', 'jwt', 'bearer', 'sso', 'saml']`
+
+</Expandable>
+
+Some examples of data guarded by `send_default_pii: false`:
 
 - When attaching data of HTTP requests and/or responses to events
   - Request Body: "raw" HTTP bodies (bodies which cannot be parsed as JSON or formdata) are removed
-  - HTTP Headers: known sensitive headers such as `Authorization` or `Cookie` are removed too.
   - _Note_ that if a user explicitly sets a request on the scope, nothing is stripped from that request. The above rules only apply to integrations that come with the SDK.
 - User-specific information (e.g. the current user ID according to the used web-framework) is not sent at all.
 - On desktop applications

diff --git a/develop-docs/sdk/expected-features/index.mdx b/develop-docs/sdk/expected-features/index.mdx
@@ -361,7 +361,7 @@ The HTTP Client integration should have 3 configuration options:
   - If the language has a `Range` type, it should be used instead of `HttpStatusCodeRange`.
 - `failedRequestTargets` defaults to (`.*`), this configuration option accepts a `List` of `String` that may be Regular expressions as well, similar to <Link to="/sdk/telemetry/traces/#tracepropagationtargets">tracePropagationTargets</Link>.
   - The SDK will only capture HTTP Client errors if the HTTP Request URL is a match for any of the `failedRequestsTargets`.
--  sensitive `headers` should only be set if `sendDefaultPii` is enabled, e.g. `Cookie` and `Set-Cookie`.
+-  While the keys of sensitive HTTP headers (e.g. `Cookie` and `Set-Cookie`) are included, their values must be replaced with `"[Filtered]"` (also see <Link to="/sdk/expected-features/data-handling/#sensitive-data">Data Handling: Sensitive Data</Link>).
 
 The HTTP Client integration should capture error events with the following properties: