feat(sentry-apps): Gate custom webhook header delivery behind feature flag

Check organizations:sentry-apps-custom-webhook-headers on the SentryApp
owner org before including custom headers in the outbound request and
the request-buffer log. Without the flag, only Sentry's own headers
(Content-Type, Request-ID, signature, etc.) are sent and recorded.

Also adds the flag to temporary.py so tests can enable it with
with_feature(), and updates the existing buffer-masking test plus
adds a companion test for the flag-off path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: billyvg

src/sentry/features/temporary.py

@@ -308,6 +308,8 @@ def register_temporary_features(manager: FeatureManager) -> None:
     manager.add("organizations:seer-gitlab-support", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=True)
     # Run Seer agents inside the sandbox execution environment
     manager.add("organizations:seer-use-agent-sandbox", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=False)
+    # Enable delivery of custom webhook headers configured on a SentryApp
+    manager.add("organizations:sentry-apps-custom-webhook-headers", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=True)
     # Disable select orgs from ingesting mobile replay events.
     # Enable double-read from EAP for session health data validation
     manager.add("organizations:session-health-eap", OrganizationFeature, FeatureHandlerStrategy.FLAGPOLE, api_expose=False)

src/sentry/utils/sentry_apps/webhooks.py

@@ -13,7 +13,7 @@
 from requests.exceptions import ChunkedEncodingError, ConnectionError, Timeout
 from rest_framework import status
 
-from sentry import options
+from sentry import features, options
 from sentry.exceptions import RestrictedIPAddress
 from sentry.http import safe_urlopen
 from sentry.integrations.utils.metrics import EventLifecycle
@@ -195,6 +195,7 @@ def _circuit_breaker_allows_request(
 def _send_webhook_request(
     url: str,
     app_platform_event: AppPlatformEvent[T],
+    use_custom_headers: bool = False,
 ) -> Response:
     # We don't want to use the alarm in CONTROL silo as it's only used for installation webhooks which are v. low volume
     # Also that we aren't guaranteed to be in main thread
@@ -212,7 +213,9 @@ def _send_webhook_request(
         return safe_urlopen(
             url=url,
             data=app_platform_event.body,
-            headers=app_platform_event.headers,
+            headers=app_platform_event.headers
+            if use_custom_headers
+            else app_platform_event.sentry_headers,
             timeout=options.get("sentry-apps.webhook.timeout.sec"),
         )
 
@@ -262,19 +265,26 @@ def send_and_save_webhook_request(
         )
 
         assert url is not None
+        custom_headers_enabled = False
         try:
             owner_context = organization_service.get_organization_by_id(
                 id=sentry_app.owner_id,
                 include_projects=False,
                 include_teams=False,
             )
             owner_org = owner_context.organization if owner_context is not None else None
+            if owner_org is not None:
+                custom_headers_enabled = features.has(
+                    "organizations:sentry-apps-custom-webhook-headers", owner_org
+                )
             circuit_breaker = _create_circuit_breaker(sentry_app)
             if not _circuit_breaker_allows_request(circuit_breaker, sentry_app, lifecycle):
                 return Response()
 
             with circuit_breaker_tracking(circuit_breaker):
-                response = _send_webhook_request(url, app_platform_event)
+                response = _send_webhook_request(
+                    url, app_platform_event, use_custom_headers=custom_headers_enabled
+                )
 
         except WebhookTimeoutError:
             if circuit_breaker and circuit_breaker.is_open() and owner_org is not None:
@@ -307,9 +317,9 @@ def send_and_save_webhook_request(
                 org_id=org_id,
                 event=event,
                 url=url,
-                # Log Sentry's headers plus masked custom headers: custom header
-                # values may contain secrets and must never be persisted.
-                headers=app_platform_event.loggable_headers,
+                headers=app_platform_event.loggable_headers
+                if custom_headers_enabled
+                else app_platform_event.sentry_headers,
             )
             lifecycle.record_halt(e)
             # Re-raise the exception because some of these tasks might retry on the exception
@@ -340,9 +350,9 @@ def send_and_save_webhook_request(
             error_id=response.headers.get("Sentry-Hook-Error"),
             project_id=project_id,
             response=response,
-            # Log Sentry's headers plus masked custom headers: custom header
-            # values may contain secrets and must never be persisted.
-            headers=app_platform_event.loggable_headers,
+            headers=app_platform_event.loggable_headers
+            if custom_headers_enabled
+            else app_platform_event.sentry_headers,
         )
 
         debug_logging_enabled = (

tests/sentry/utils/sentry_apps/test_webhooks.py

@@ -147,6 +147,7 @@ def test_http_error_response_records_success_and_raises(
 
         mock_record_success.assert_called_once()
 
+    @with_feature("organizations:sentry-apps-custom-webhook-headers")
     @override_options(CIRCUIT_BREAKER_OPTIONS)
     @patch("sentry.utils.sentry_apps.webhooks.safe_urlopen")
     def test_error_response_buffers_masked_custom_headers(self, mock_safe_urlopen):
@@ -185,6 +186,46 @@ def test_error_response_buffers_masked_custom_headers(self, mock_safe_urlopen):
         # Sentry's own headers are still recorded in the clear.
         assert headers["Content-Type"] == "application/json"
 
+    @override_options(CIRCUIT_BREAKER_OPTIONS)
+    @patch("sentry.utils.sentry_apps.webhooks.safe_urlopen")
+    def test_custom_headers_not_sent_or_logged_without_flag(self, mock_safe_urlopen):
+        """Without the feature flag, custom headers are stripped from both the request
+        and the buffer log."""
+        sentry_app = self.create_sentry_app(
+            name="HeaderApp",
+            organization=self.organization,
+            webhook_url="https://example.com/webhook",
+            published=True,
+            webhook_headers=["Authorization: Bearer super-secret"],
+        )
+        install = self.create_sentry_app_installation(
+            organization=self.organization, slug=sentry_app.slug
+        )
+        event = AppPlatformEvent(
+            resource=SentryAppResourceType.ISSUE,
+            action=IssueActionType.CREATED,
+            install=install,
+            data={"test": "data"},
+        )
+        mock_safe_urlopen.return_value = _MockResponse(
+            {}, "{}", "", False, 401, _raise_status_false, None
+        )
+
+        with pytest.raises(ClientError):
+            send_and_save_webhook_request(sentry_app, event)
+
+        # Custom header must not appear in the outbound request.
+        call_headers = mock_safe_urlopen.call_args.kwargs["headers"]
+        assert "Authorization" not in call_headers
+
+        # Custom header must not appear in the buffer log either.
+        requests = SentryAppWebhookRequestsBuffer(sentry_app).get_requests(errors_only=True)
+        assert len(requests) == 1
+        headers = requests[0].get("request_headers")
+        assert headers is not None
+        assert "Authorization" not in headers
+        assert headers["Content-Type"] == "application/json"
+
 
 @cell_silo_test
 class WebhookCircuitBreakerNotifyTest(TestCase):