[Security] Redact cookies from debug logs

gonzaloriestra · gonzaloriestra · commit 45c44bdbb051 · 2026-05-20T14:53:04.000+02:00
Add 'cookie' to the list of redacted keywords in `sanitizedHeadersOutput` to prevent session data leakage in debug logs. Update tests to verify redaction.
diff --git a/packages/cli-kit/src/private/node/api/headers.test.ts b/packages/cli-kit/src/private/node/api/headers.test.ts
@@ -76,7 +76,7 @@ describe('common API methods', () => {
     },
   )
 
-  test('sanitizedHeadersOutput removes the headers that include the token', () => {
+  test('sanitizedHeadersOutput removes sensitive headers', () => {
     // Given
     const headers = {
       'User-Agent': 'useragent',
@@ -85,6 +85,8 @@ describe('common API methods', () => {
       authorization: 'token',
       'Content-Type': 'application/json',
       'X-Shopify-Access-Token': 'token',
+      Cookie: 'session=123',
+      'Set-Cookie': 'session=456',
     }
 
     // When
diff --git a/packages/cli-kit/src/private/node/api/headers.ts b/packages/cli-kit/src/private/node/api/headers.ts
@@ -33,7 +33,7 @@ export class GraphQLClientError extends RequestClientError {
  */
 export function sanitizedHeadersOutput(headers: Record<string, string>): string {
   const sanitized: Record<string, string> = {}
-  const keywords = ['token', 'authorization', 'subject_token']
+  const keywords = ['token', 'authorization', 'subject_token', 'cookie']
   Object.keys(headers).forEach((header) => {
     if (keywords.find((keyword) => header.toLocaleLowerCase().includes(keyword)) === undefined) {
       sanitized[header] = headers[header]!
