Skip to content

ref(http): Use shared snippets for filtering headers and cookies #20970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
s1gr1d merged 4 commits into from
May 19, 2026
+69 −64
Merged

ref(http): Use shared snippets for filtering headers and cookies #20970

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6e69889
ref(http): Use shared snippets for filtering headers and cookies
s1gr1d May 18, 2026
883b266
Update packages/core/src/utils/data-collection/filtering-snippets.ts
s1gr1d May 18, 2026
c4d9f5c
filter ip value
s1gr1d May 19, 2026
cd5d720
Merge branch 'develop' into sig/use-shared-const
s1gr1d May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions packages/core/src/utils/data-collection/filtering-snippets.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,62 @@
export const PII_HEADER_SNIPPETS = ['forwarded', '-ip', 'remote-', 'via', '-user'];

export const SENSITIVE_KEY_SNIPPETS = [
'auth',
'token',
'secret',
'session', // for the user_session cookie
'password',
'passwd',
'pwd',
'key',
'jwt',
'bearer',
'sso',
'saml',
'csrf',
'xsrf',
'credentials',
'sid',
'identity',
// Always treat cookie headers as sensitive in case individual key-value cookie pairs cannot properly be extracted
'set-cookie',
'cookie',
];

/**
* Extra substrings matched only against individual Cookie / Set-Cookie **names** (not header names),
* so we can cover common session secrets that do not match {@link SENSITIVE_KEY_SNIPPETS}
* (e.g. `connect.sid` does not contain `session`) without false positives on arbitrary HTTP headers.
*
* Cookie names are checked with the same `includes()` list as headers plus these entries; omit redundant
* cookie-only snippets that are already implied by a header match (e.g. `oauth` → `auth`, `id_token` → `token`,
* `next-auth` → `auth`).
*/
export const SENSITIVE_COOKIE_NAME_SNIPPETS = [
// Express / Connect default session cookie
'.sid',
// Opaque session ids (PHPSESSID, ASPSESSIONID*, BIGipServer*, *sessid*, …)
'sessid',
// Laravel etc. "remember me" tokens
'remember',
// OIDC / OAuth auxiliary (`oauth*` covered by header snippet `auth`)
'oidc',
'pkce',
'nonce',
// RFC 6265bis high-security cookie name prefixes
'__secure-',
'__host-',
// Load balancer / CDN sticky-session cookies (opaque routing tokens)
'awsalb',
'awselb',
'akamai',
// BaaS / IdP session cookies (names often omit "session")
'__stripe',
'cognito',
'firebase',
'supabase',
'sb-',
// Step-up / MFA cookies
'mfa',
'2fa',
];
70 changes: 7 additions & 63 deletions packages/core/src/utils/request.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@ import type { RequestEventData } from '../types-hoist/request';
import type { WebFetchHeaders, WebFetchRequest } from '../types-hoist/webfetchapi';
import { debug } from './debug-logger';
import { safeUnref } from './timer';
import {
PII_HEADER_SNIPPETS,
SENSITIVE_COOKIE_NAME_SNIPPETS,
SENSITIVE_KEY_SNIPPETS,
} from '../utils/data-collection/filtering-snippets';

/**
* Maximum size of incoming HTTP request bodies attached to events.
Expand Down Expand Up @@ -258,67 +263,6 @@ function getAbsoluteUrl({
return undefined;
}

const SENSITIVE_HEADER_SNIPPETS = [
'auth',
'token',
'secret',
'session', // for the user_session cookie
'password',
'passwd',
'pwd',
'key',
'jwt',
'bearer',
'sso',
'saml',
'csrf',
'xsrf',
'credentials',
// Always treat cookie headers as sensitive in case individual key-value cookie pairs cannot properly be extracted
'set-cookie',
'cookie',
];

/**
* Extra substrings matched only against individual Cookie / Set-Cookie **names** (not header names),
* so we can cover common session secrets that do not match {@link SENSITIVE_HEADER_SNIPPETS}
* (e.g. `connect.sid` does not contain `session`) without false positives on arbitrary HTTP headers.
*
* Cookie names are checked with the same `includes()` list as headers plus these entries; omit redundant
* cookie-only snippets that are already implied by a header match (e.g. `oauth` → `auth`, `id_token` → `token`,
* `next-auth` → `auth`).
*/
const SENSITIVE_COOKIE_NAME_SNIPPETS = [
// Express / Connect default session cookie
'.sid',
// Opaque session ids (PHPSESSID, ASPSESSIONID*, BIGipServer*, *sessid*, …)
'sessid',
// Laravel etc. "remember me" tokens
'remember',
// OIDC / OAuth auxiliary (`oauth*` covered by header snippet `auth`)
'oidc',
'pkce',
'nonce',
// RFC 6265bis high-security cookie name prefixes
'__secure-',
'__host-',
// Load balancer / CDN sticky-session cookies (opaque routing tokens)
'awsalb',
'awselb',
'akamai',
// BaaS / IdP session cookies (names often omit "session")
'__stripe',
'cognito',
'firebase',
'supabase',
'sb-',
// Step-up / MFA cookies
'mfa',
'2fa',
];

const PII_HEADER_SNIPPETS = ['x-forwarded-', '-user'];

/**
* Converts incoming HTTP request or response headers to OpenTelemetry span attributes following semantic conventions.
* Header names are converted to the format: http.<request|response>.header.<key>
Comment thread
sentry[bot] marked this conversation as resolved.
Expand Down Expand Up @@ -434,8 +378,8 @@ function handleHttpHeader(
isCookieSubKey: boolean = false,
): string | undefined {
const snippetsForSensitivity = isCookieSubKey
? [...SENSITIVE_HEADER_SNIPPETS, ...SENSITIVE_COOKIE_NAME_SNIPPETS]
: SENSITIVE_HEADER_SNIPPETS;
? [...SENSITIVE_KEY_SNIPPETS, ...SENSITIVE_COOKIE_NAME_SNIPPETS]
: SENSITIVE_KEY_SNIPPETS;

const isSensitive = sendPii
? snippetsForSensitivity.some(snippet => lowerCasedKey.includes(snippet))
Expand Down
Loading