feat(core): redact sensitive headers in the fetch log#1585
Conversation
Redact Authorization, Cookie, Set-Cookie, Proxy-Authorization, X-Api-Key, and x-mcp-remote-auth to [REDACTED] in createFetchTracker before any request/response entry reaches the in-memory log, pino logger, or persisted session storage. Comparison is case-insensitive; original key casing is preserved and the live outbound request is untouched. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX
|
@claude review |
|
Claude finished @cliffhall's task in 1m 0s —— View job Code Review: redact sensitive headers in the fetch logReviewed Strengths
Consideration (scope, not a bug)Request/response bodies are still recorded verbatim.
So a bearer redacted from the Minor, related: tokens that ride in the URL query string ( Nits
Verdict: LGTM for the header-redaction scope. Recommend confirming a tracking issue exists for body/URL redaction so the "OAuth tokens ride these requests" motivation is fully closed out later. |
|
📋 Smoke test & AGENTS.md audit for this PR: #1561 (comment) (posted on the linked issue #1561). |
Closes #1561
Summary
Redacts sensitive header values in
createFetchTrackerbefore any request/response entry is recorded.Authorization,Cookie,Set-Cookie,Proxy-Authorization,X-Api-Key, andx-mcp-remote-authare replaced with a[REDACTED]marker on both request and response headers.Recorded fetch entries flow to the in-memory log (visible in the Network UI), the pino logger, and persisted session storage — none of those sinks should ever see a live bearer token or session cookie, especially once OAuth tokens ride these requests.
Details
SENSITIVE_HEADERSset +REDACTED_HEADER_VALUEconstant + exportedredactSensitiveHeaders()incore/mcp/fetchTracking.ts.Re-implements the fetch-log redaction slice of PR #1510 (reference head
33fac3f), scoped per tracking issue #1579 Wave 1.Testing
clients/webunit tests forfetchTrackingpass (redaction on request, error path, response;redactSensitiveHeaderscase-insensitivity + non-mutation).test:coverage) passes ≥90 on all four dimensions.validate:webandtest:integration(799/799) green.🤖 Generated with Claude Code
https://claude.ai/code/session_01S3fTN8H3R8YV4yUGvZjYnX