fix(security): redact sensitive headers from debug logs#2918
fix(security): redact sensitive headers from debug logs#2918giulio-leone wants to merge 1 commit intoopenai:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses #1196 by preventing sensitive response headers (e.g., authorization, api-key) from being emitted in debug logs in the sync and async HTTP clients.
Changes:
- Redacts sensitive values when logging
httpx.Response.headersin bothSyncAPIClientandAsyncAPIClient. - Re-exports
SENSITIVE_HEADERSfromopenai._utilsto reuse the existing sensitive-header allowlist. - Adds a test intended to validate the response-header redaction logic.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/openai/_base_client.py |
Redacts sensitive response headers before emitting debug logs for HTTP responses. |
src/openai/_utils/__init__.py |
Exposes SENSITIVE_HEADERS for reuse outside _utils/_logs.py. |
tests/test_utils/test_logging.py |
Adds a test for header redaction behavior using SENSITIVE_HEADERS. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ase_client Adds a test using respx to verify that sensitive response headers are actually redacted in log output when making real client calls, not just testing the filter utility in isolation. Refs: openai#2918
giulio-leone
force-pushed
the
fix/issue-1196-redact-debug-headers
branch
from
5738c34 to
0a2c79b
Compare
|
Intervention note for this PR: Current blocker appears to be missing CI execution rather than failing jobs:
Suggested unblock sequence:
If useful, I can run a follow-up status sweep as soon as checks are attached. |
|
Friendly follow-up — this addresses a security concern (#1196) where sensitive headers could be exposed in debug logs. The fix is minimal (2 files) and all existing tests pass. Would appreciate a review when you get a chance. 🙏 |
|
This PR is ready for review — all CI checks pass, no merge conflicts, and all review threads have been resolved. Ready to merge when approved. 🚀 |
giulio-leone
force-pushed
the
fix/issue-1196-redact-debug-headers
branch
from
0a2c79b to
4578d41
Compare
|
Hi! 👋 Gentle ping — this PR is rebased, CI passes, and ready for review. Happy to address any feedback. Thanks! |
Summary
Fixes #1196
Response headers were logged unfiltered at debug level in both sync and async HTTP clients (
_base_client.py), potentially exposingauthorizationandapi-keyheader values in log output.Changes
src/openai/_base_client.py: Filterresponse.headersthrough a dict comprehension that redacts values for headers inSENSITIVE_HEADERSbefore logging. Applied to bothSyncAPIClientandAsyncAPIClient.src/openai/_utils/__init__.py: Export the existingSENSITIVE_HEADERSset from_logs.pyso it can be reused in_base_client.py.tests/test_utils/test_logging.py: Added test verifying response header redaction logic.Approach
Reuses the existing
SENSITIVE_HEADERSset ({"api-key", "authorization"}) from_utils/_logs.py, which is already used bySensitiveHeadersFilterfor request options. The filter only needed to cover request args in dict format; this PR extends coverage to response headers logged directly.Before
After