[Security] Redact cookies from debug logs

gonzaloriestra · gonzaloriestra · commit 5f7f39b4bee2 · 2026-05-12T11:42:25.000+02:00
Add 'cookie' to the list of redacted keywords in `sanitizedHeadersOutput` to prevent session data leakage in debug logs. Update tests to verify redaction.
diff --git a/packages/cli-kit/src/private/node/api/headers.test.ts b/packages/cli-kit/src/private/node/api/headers.test.ts
@@ -85,6 +85,8 @@ describe('common API methods', () => {
       authorization: 'token',
       'Content-Type': 'application/json',
       'X-Shopify-Access-Token': 'token',
+      Cookie: 'session=123',
+      'Set-Cookie': 'session=456',
     }
 
     // When
diff --git a/packages/cli-kit/src/private/node/api/headers.ts b/packages/cli-kit/src/private/node/api/headers.ts
@@ -33,7 +33,7 @@ export class GraphQLClientError extends RequestClientError {
  */
 export function sanitizedHeadersOutput(headers: Record<string, string>): string {
   const sanitized: Record<string, string> = {}
-  const keywords = ['token', 'authorization', 'subject_token']
+  const keywords = ['token', 'authorization', 'subject_token', 'cookie']
   Object.keys(headers).forEach((header) => {
     if (keywords.find((keyword) => header.toLocaleLowerCase().includes(keyword)) === undefined) {
       sanitized[header] = headers[header]!

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,8 @@ describe('common API methods', () => {`
`85`	`85`	`authorization: 'token',`
`86`	`86`	`'Content-Type': 'application/json',`
`87`	`87`	`'X-Shopify-Access-Token': 'token',`
	`88`	`+ Cookie: 'session=123',`
	`89`	`+ 'Set-Cookie': 'session=456',`
`88`	`90`	`}`
`89`	`91`
`90`	`92`	`// When`