Authorization headers leaked on failed config check

Hi everyone,

I am using the heartbeat hint based auto discovery feature. I have configured a HTTP monitor and added headers (including the authorization part) to the heartbeat.yml.

When the auto discover config check failed for the given config, the event was logged and unfortunately contained the API key from the authorization headers in plain text. The "hosts" part, however, was masked.

I couldn't find a way to configure a masking of these HTTP headers and briefly browsing through the code lead me this part in the code.

Looks like there is a list of keys that will be masked for a given config and I am guessing that one could add another key for "authorization" there.
Is that already a known topic? Should I file a PR for that? Or is there a more obvious way to achieve masking of HTTP headers?


I'd submit a PR if u think u have a fix.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.