From a1b1a87246ebb463790989f16429101f58a56164 Mon Sep 17 00:00:00 2001
From: Gaurav Poudel <gaurair@Gauravs-MacBook-Air.local>
Date: Sat, 14 Feb 2026 12:30:31 +0530
Subject: [PATCH] fix: redact sensitive headers in debug request/response
 logging

---
 src/lib/sdks.ts | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/lib/sdks.ts b/src/lib/sdks.ts
index 2fdad0c..3c744fe 100644
--- a/src/lib/sdks.ts
+++ b/src/lib/sdks.ts
@@ -302,6 +302,18 @@ export class ClientSDK {
   }
 }
 
+const SENSITIVE_HEADERS = new Set([
+  "authorization",
+  "cookie",
+  "set-cookie",
+  "x-api-key",
+  "proxy-authorization",
+]);
+
+function redactHeaderValue(name: string, value: string): string {
+  return SENSITIVE_HEADERS.has(name.toLowerCase()) ? "[REDACTED]" : value;
+}
+
 const jsonLikeContentTypeRE = /(application|text)\/.*?\+*json.*/;
 const jsonlLikeContentTypeRE =
   /(application|text)\/(.*?\+*\bjsonl\b.*|.*?\+*\bx-ndjson\b.*)/;
@@ -317,7 +329,7 @@ async function logRequest(logger: Logger | undefined, req: Request) {
 
   logger.group("Headers:");
   for (const [k, v] of req.headers.entries()) {
-    logger.log(`${k}: ${v}`);
+    logger.log(`${k}: ${redactHeaderValue(k, v)}`);
   }
   logger.groupEnd();
 
@@ -363,7 +375,7 @@ async function logResponse(
 
   logger.group("Headers:");
   for (const [k, v] of res.headers.entries()) {
-    logger.log(`${k}: ${v}`);
+    logger.log(`${k}: ${redactHeaderValue(k, v)}`);
   }
   logger.groupEnd();