Skip to content

fix(core): Always redact content of sensitive headers regardless of sendDefaultPii #18311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
s1gr1d merged 5 commits into from
Nov 24, 2025
Merged

fix(core): Always redact content of sensitive headers regardless of sendDefaultPii #18311

s1gr1d merged 5 commits into from
Nov 24, 2025

Conversation

@s1gr1d
Copy link
Member

@s1gr1d s1gr1d commented Nov 24, 2025

In case an HTTP header is considered "sensitive" (could contain tokens), the value is already filtered within the SDK.

Follow-up on this PR:
@s1gr1d s1gr1d requested review from AbhiPrasad and Lms24 November 24, 2025 16:35
sentry[bot]
sentry bot reviewed Nov 24, 2025
View reviewed changes
packages/core/src/utils/request.ts
Comment on lines 153 to 147
export function httpHeadersToSpanAttributes(
headers: Record<string, string | string[] | undefined>,
sendDefaultPii: boolean = false,
): Record<string, string> {
const spanAttributes: Record<string, string> = {};

try {

This comment was marked as resolved.

Sign in to view

cursor[bot]
cursor bot reviewed Nov 24, 2025
View reviewed changes
@Lms24
Copy link
Member

Lms24 commented Nov 24, 2025

(For transparency: We reviewed this PR offline prior to opening it, therefore the comment-less ✅ )
@github-actions
Copy link
Contributor

github-actions bot commented Nov 24, 2025
edited
Loading

size-limit report 📦

Path Size % Change Change
@sentry/browser 24.8 kB - -
@sentry/browser - with treeshaking flags 23.31 kB - -
@sentry/browser (incl. Tracing) 41.54 kB - -
@sentry/browser (incl. Tracing, Profiling) 46.13 kB - -
@sentry/browser (incl. Tracing, Replay) 79.96 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 69.68 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 84.64 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 96.88 kB - -
@sentry/browser (incl. Feedback) 41.48 kB - -
@sentry/browser (incl. sendFeedback) 29.49 kB - -
@sentry/browser (incl. FeedbackAsync) 34.43 kB - -
@sentry/react 26.52 kB - -
@sentry/react (incl. Tracing) 43.74 kB - -
@sentry/vue 29.25 kB - -
@sentry/vue (incl. Tracing) 43.34 kB - -
@sentry/svelte 24.82 kB - -
CDN Bundle 27.17 kB - -
CDN Bundle (incl. Tracing) 42.16 kB - -
CDN Bundle (incl. Tracing, Replay) 78.7 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 84.15 kB - -
CDN Bundle - uncompressed 79.84 kB - -
CDN Bundle (incl. Tracing) - uncompressed 125.22 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 241.25 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 254.01 kB - -
@sentry/nextjs (client) 45.96 kB - -
@sentry/sveltekit (client) 41.9 kB - -
@sentry/node-core 51.19 kB +0.02% +9 B 🔺
@sentry/node 159.24 kB +0.01% +6 B 🔺
@sentry/node - without tracing 92.83 kB - -
@sentry/aws-serverless 108.08 kB +0.02% +13 B 🔺

View base workflow run
@github-actions
Copy link
Contributor

github-actions bot commented Nov 24, 2025
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,129 - 8,710 +5%
GET With Sentry 1,665 18% 1,721 -3%
GET With Sentry (error only) 6,041 66% 6,128 -1%
POST Baseline 1,190 - 1,187 +0%
POST With Sentry 565 47% 590 -4%
POST With Sentry (error only) 1,031 87% 1,044 -1%
MYSQL Baseline 3,269 - 3,260 +0%
MYSQL With Sentry 424 13% 423 +0%
MYSQL With Sentry (error only) 2,640 81% 2,604 +1%

View base workflow run
@s1gr1d s1gr1d enabled auto-merge (squash) November 24, 2025 17:20
@s1gr1d s1gr1d merged commit 6ce620e into develop Nov 24, 2025
201 checks passed
@s1gr1d s1gr1d deleted the sig/http-attributes-fix branch November 24, 2025 17:31
@s1gr1d s1gr1d mentioned this pull request Nov 25, 2025
Merged
This was referenced Dec 9, 2025
Closed
Closed
s1gr1d added a commit that referenced this pull request Dec 10, 2025
@s1gr1d
feat(core): Parse individual cookies from cookie header (#18325)
ec8c8c6 
Parse each individual cookie header and filter sensitive cookies to at least know which keys the cookie string included. Follow-up on #18311 Closes #18441
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@s1gr1d @Lms24