You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Cyrus Vafadari (Jira)" <ji...@apache.org> on 2021/02/17 19:18:00 UTC
[jira] [Created] (HTTPCLIENT-2138) Debug Log level logs sensitive
information
Cyrus Vafadari created HTTPCLIENT-2138:
------------------------------------------
Summary: Debug Log level logs sensitive information
Key: HTTPCLIENT-2138
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2138
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient (classic)
Reporter: Cyrus Vafadari
When I enable debug level logging, I see
```
[2021-01-20 18:02:35,862] DEBUG http-outgoing-0 >> Authorization: Basic <CREDENTIALS_APPEAR_HEAR_IN_BASE64> (org.apache.http.headers:139) [2021-01-20 18:02:35,884] DEBUG http-outgoing-0 >> "Authorization: Basic <CREDENTIALS_APPEAR_HEAR_IN_BASE64>[\r][\n]" (org.apache.http.wire:54) [2021-01-20 18:02:35,899] DEBUG http-outgoing-0 << " <title>Unauthorized (401)</title>[\n]" (org.apache.http.wire:54)
```
If agreed, I can open a PR to mask secrets in the debug log. If that makes the log less useful, I can at least make this configurable, since in my case it is a security violation to have any secrets whatsover in the logs
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org