headers icon indicating copy to clipboard operation
headers copied to clipboard
verified publisher icon hyperium

Should "sensitive" header types set HeaderValue::is_sensitive?

Open seanmonstar opened this issue 7 years ago • 2 comments

There is an attribute of HeaderValue that marks it as "sensitive". This currently has 2 effects:

  • In HTTP2, the HPACK never-indexed-literals flag is set. This keeps the value from being stored in the dynamic HPACK table.
  • Alters the Debug output to simply write the word "Sensitive" instead of the actual bytes, which can help with accidental storage of secrets or PII.

Should these potentially sensitive headers set this flag when encoding to a HeaderValue?

  • Authorization
  • Cookie
  • Set-Cookie
  • Others?

seanmonstar avatar Oct 04 '18 18:10 seanmonstar

Perhaps all header types should have a sensitive flag and some set them by default?

carllerche avatar Nov 12 '18 16:11 carllerche

+1 on preventing accidental exposure of secrets in Debug output. I converted over from using a HeaderValue explicitly marked sensitive to the Authorization typed header and had expected that would continue to be the case.

shikhar avatar Jul 22 '21 00:07 shikhar