chore: redact api-key headers in debug logs

stainless-app[bot] · stainless-app[bot] · commit 91f6f4ab43dd · 2026-05-08T03:43:17.000Z
diff --git a/option/middleware.go b/option/middleware.go
@@ -8,6 +8,10 @@ import (
 	"net/http/httputil"
 )
 
+// sensitiveLogHeaders are redacted before request and response content is
+// written to the debug logger.
+var sensitiveLogHeaders = []string{"authorization", "api-key", "x-api-key", "cookie", "set-cookie"}
+
 // WithDebugLog logs the HTTP request and response content.
 // If the logger parameter is nil, it uses the default logger.
 //
@@ -20,7 +24,7 @@ func WithDebugLog(logger *log.Logger) RequestOption {
 			logger = log.Default()
 		}
 
-		if reqBytes, err := httputil.DumpRequest(req, true); err == nil {
+		if reqBytes, err := dumpRedactedRequest(req); err == nil {
 			logger.Printf("Request Content:\n%s\n", reqBytes)
 		}
 
@@ -29,10 +33,48 @@ func WithDebugLog(logger *log.Logger) RequestOption {
 			return resp, err
 		}
 
-		if respBytes, err := httputil.DumpResponse(resp, true); err == nil {
+		if respBytes, err := dumpRedactedResponse(resp); err == nil {
 			logger.Printf("Response Content:\n%s\n", respBytes)
 		}
 
 		return resp, err
 	})
 }
+
+// dumpRedactedRequest dumps req with sensitive headers replaced. The
+// original headers are restored via defer so a panic in DumpRequest cannot
+// leak the placeholder map into the live request sent downstream.
+func dumpRedactedRequest(req *http.Request) ([]byte, error) {
+	origHeaders := req.Header
+	req.Header = redactDebugHeaders(origHeaders)
+	defer func() { req.Header = origHeaders }()
+	return httputil.DumpRequest(req, true)
+}
+
+func dumpRedactedResponse(resp *http.Response) ([]byte, error) {
+	origHeaders := resp.Header
+	resp.Header = redactDebugHeaders(origHeaders)
+	defer func() { resp.Header = origHeaders }()
+	return httputil.DumpResponse(resp, true)
+}
+
+func redactDebugHeaders(headers http.Header) http.Header {
+	var redacted http.Header
+	for _, name := range sensitiveLogHeaders {
+		values := headers.Values(name)
+		if len(values) == 0 {
+			continue
+		}
+		if redacted == nil {
+			redacted = headers.Clone()
+		}
+		redacted.Del(name)
+		for range values {
+			redacted.Add(name, "***")
+		}
+	}
+	if redacted == nil {
+		return headers
+	}
+	return redacted
+}
