[fix](fe) Mask sensitive headers in stream load logs (#62108)

FE stream load REST logs printed full request headers, which could leak Authorization and token values into INFO logs.

Changes:
- Mask values for a small set of sensitive headers (e.g., Authorization, token) in getAllHeaders()
- Add isSensitiveHeader() helper to centralize the masking decision

Author: liaoxin01

fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java

@@ -671,12 +671,21 @@ private String getAllHeaders(HttpServletRequest request) {
         Enumeration<String> headerNames = request.getHeaderNames();
         while (headerNames.hasMoreElements()) {
             String headerName = headerNames.nextElement();
-            String headerValue = request.getHeader(headerName);
+            String headerValue = isSensitiveHeader(headerName) ? "***MASKED***" : request.getHeader(headerName);
             headers.append(headerName).append(":").append(headerValue).append(", ");
         }
         return headers.toString();
     }
 
+    private boolean isSensitiveHeader(String headerName) {
+        return "Authorization".equalsIgnoreCase(headerName)
+                || "Proxy-Authorization".equalsIgnoreCase(headerName)
+                || "Cookie".equalsIgnoreCase(headerName)
+                || "Set-Cookie".equalsIgnoreCase(headerName)
+                || "token".equalsIgnoreCase(headerName)
+                || "Auth-Token".equalsIgnoreCase(headerName);
+    }
+
     private Backend selectBackendForGroupCommit(String clusterName, HttpServletRequest req, long tableId)
             throws LoadException {
         ConnectContext ctx = new ConnectContext();

fe/fe-core/src/test/java/org/apache/doris/httpv2/rest/LoadActionTest.java

@@ -0,0 +1,49 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.httpv2.rest;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.junit.Assert;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.Collections;
+
+public class LoadActionTest {
+
+    @Test
+    public void testGetAllHeadersMasksSensitiveHeaders() throws Exception {
+        LoadAction action = new LoadAction();
+        HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+        Mockito.when(request.getHeaderNames()).thenReturn(Collections.enumeration(Arrays.asList(
+                "Authorization", "Cookie", "Set-Cookie", "token", "label")));
+        Mockito.when(request.getHeader("label")).thenReturn("load_label");
+
+        Method method = LoadAction.class.getDeclaredMethod("getAllHeaders", HttpServletRequest.class);
+        method.setAccessible(true);
+        String headers = (String) method.invoke(action, request);
+
+        Assert.assertTrue(headers.contains("Authorization:***MASKED***"));
+        Assert.assertTrue(headers.contains("Cookie:***MASKED***"));
+        Assert.assertTrue(headers.contains("Set-Cookie:***MASKED***"));
+        Assert.assertTrue(headers.contains("token:***MASKED***"));
+        Assert.assertTrue(headers.contains("label:load_label"));
+    }
+}