[
https://issues.apache.org/jira/browse/CXF-9082?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andriy Redko updated CXF-9082:
------------------------------
Fix Version/s: 4.1.0
3.5.10
3.6.5
4.0.6
> SENSITIVE_HEADERS list is hardcoded
> -----------------------------------
>
> Key: CXF-9082
> URL: https://issues.apache.org/jira/browse/CXF-9082
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.5.9, 3.6.4
> Reporter: Dmytro Sylaiev
> Priority: Major
> Fix For: 4.1.0, 3.5.10, 3.6.5, 4.0.6
>
>
> The org.apache.cxf.transport.http.Headers from cxf-rt-transports-http.jar
> contains a behavior to mask sensitive headers when print them to a log until
> the ALLOW_LOGGING_SENSITIVE_HEADERS property is set to true.
> But the issue here is that the list of sensitive headers is private final and
> there's no public getter to modify the list and contains only 2 values
> ("Authorization", "Proxy-Authorization")
>
> When you're using httpclient with some Api-Key auth or the request has any
> sensitive information besides this 2 headers, they would be printed to the
> debug console.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
