-
-
Notifications
You must be signed in to change notification settings - Fork 723
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Make it possible to restrict keys in scope.headers log entries #551
Comments
The sensible place to start here would be to look at other Python web servers and determine what header filtering they put in place. In particular what does Gunicorn do here? Do they output headers / WGI environ in logs at any point? Do they filter the headers in any particular way? |
@tomchristie
Use lowercase for header and environment variable names, and put In a log format, like I would really caution against doing logging like Gunicorn does it, I'm quite happy with the way uvicorn handles it, with the exception of not being able to define headers that should be excluded. |
I think this is fixed in #859 |
I had an issue pop up when I updated uvicorn to a newer version, specifically it seems that scope.headers got added to the log output, and there appears to be no way to filter what goes into that log.
Here is an example log:
The problem are headers like
["b'authorization'", "b'Bearer fake-bearer-token'"]
which can give away sensitive information like API Keys or valid Bearer tokens.I would like a feature that gives me the option to exclude specific headers that may include sensitive information that I do not want to be logged.
The current way I do this is by creating a custom formatter that drops the scope.headers field entirely.
The text was updated successfully, but these errors were encountered: