Sentry Replay currently redacts the Authorization header to avoid private information leaks. Instead, SDK users see something like this in their Sentry portal:
Ideally we'd also redact this in the SDK before it crosses process boundaries though.
The FailedRequest handler and HttpContextExtensions currently capture all headers when SendDefaultPii is true:
|
if (!Options.SendDefaultPii) |
|
{ |
|
sentryRequest.Url = uri?.HttpRequestUrl(); |
|
} |
|
else |
|
{ |
|
sentryRequest.Url = uri?.AbsoluteUri; |
|
sentryRequest.Cookies = request.Headers.GetCookies(); |
|
sentryRequest.AddHeaders(request.Headers); |
|
responseContext.Cookies = response.Headers.GetCookies(); |
|
responseContext.AddHeaders(response.Headers); |
|
} |
ScopeExtensions excludes this rather than redacting it:
|
if (!options.SendDefaultPii |
|
// Don't add headers which might contain PII |
|
&& (requestHeader.Key == HeaderNames.Cookie |
|
|| requestHeader.Key == HeaderNames.Authorization)) |
|
{ |
|
continue; |
|
} |
|
|
|
scope.Request.Headers[requestHeader.Key] = requestHeader.Value!; |
|
|
|
if (requestHeader.Key == HeaderNames.Cookie) |
|
{ |
|
scope.Request.Cookies = requestHeader.Value; |
|
} |
Sentry Replay currently redacts the
Authorizationheader to avoid private information leaks. Instead, SDK users see something like this in their Sentry portal:Ideally we'd also redact this in the SDK before it crosses process boundaries though.
The
FailedRequesthandler andHttpContextExtensionscurrently capture all headers whenSendDefaultPiiis true:sentry-dotnet/src/Sentry/SentryHttpFailedRequestHandler.cs
Lines 62 to 73 in f765f99
ScopeExtensions excludes this rather than redacting it:
sentry-dotnet/src/Sentry.AspNetCore/ScopeExtensions.cs
Lines 138 to 151 in f765f99