From 6e698892b6195e010d36ca0f9ccd3c986f1cf3f3 Mon Sep 17 00:00:00 2001 From: s1gr1d <32902192+s1gr1d@users.noreply.github.com> Date: Mon, 18 May 2026 14:29:21 +0200 Subject: [PATCH 1/3] ref(http): Use shared snippets for filtering headers and cookies --- .../data-collection/filtering-snippets.ts | 62 ++++++++++++++++ packages/core/src/utils/request.ts | 70 ++----------------- 2 files changed, 69 insertions(+), 63 deletions(-) diff --git a/packages/core/src/utils/data-collection/filtering-snippets.ts b/packages/core/src/utils/data-collection/filtering-snippets.ts index 4abbe9361799..48a4bd0b5280 100644 --- a/packages/core/src/utils/data-collection/filtering-snippets.ts +++ b/packages/core/src/utils/data-collection/filtering-snippets.ts @@ -1 +1,63 @@ export const PII_HEADER_SNIPPETS = ['forwarded', '-ip', 'remote-', 'via', '-user']; + +export const SENSITIVE_KEY_SNIPPETS = [ + 'auth', + 'token', + 'secret', + 'session', // for the user_session cookie + 'password', + 'passwd', + 'pwd', + 'key', + 'jwt', + 'bearer', + 'sso', + 'saml', + 'csrf', + 'xsrf', + 'credentials', + 'session', + 'sid', + 'identity', + // Always treat cookie headers as sensitive in case individual key-value cookie pairs cannot properly be extracted + 'set-cookie', + 'cookie', +]; + +/** + * Extra substrings matched only against individual Cookie / Set-Cookie **names** (not header names), + * so we can cover common session secrets that do not match {@link SENSITIVE_KEY_SNIPPETS} + * (e.g. `connect.sid` does not contain `session`) without false positives on arbitrary HTTP headers. + * + * Cookie names are checked with the same `includes()` list as headers plus these entries; omit redundant + * cookie-only snippets that are already implied by a header match (e.g. `oauth` → `auth`, `id_token` → `token`, + * `next-auth` → `auth`). + */ +export const SENSITIVE_COOKIE_NAME_SNIPPETS = [ + // Express / Connect default session cookie + '.sid', + // Opaque session ids (PHPSESSID, ASPSESSIONID*, BIGipServer*, *sessid*, …) + 'sessid', + // Laravel etc. "remember me" tokens + 'remember', + // OIDC / OAuth auxiliary (`oauth*` covered by header snippet `auth`) + 'oidc', + 'pkce', + 'nonce', + // RFC 6265bis high-security cookie name prefixes + '__secure-', + '__host-', + // Load balancer / CDN sticky-session cookies (opaque routing tokens) + 'awsalb', + 'awselb', + 'akamai', + // BaaS / IdP session cookies (names often omit "session") + '__stripe', + 'cognito', + 'firebase', + 'supabase', + 'sb-', + // Step-up / MFA cookies + 'mfa', + '2fa', +]; diff --git a/packages/core/src/utils/request.ts b/packages/core/src/utils/request.ts index a3503365cfe8..6ed62145db85 100644 --- a/packages/core/src/utils/request.ts +++ b/packages/core/src/utils/request.ts @@ -6,6 +6,11 @@ import type { RequestEventData } from '../types-hoist/request'; import type { WebFetchHeaders, WebFetchRequest } from '../types-hoist/webfetchapi'; import { debug } from './debug-logger'; import { safeUnref } from './timer'; +import { + PII_HEADER_SNIPPETS, + SENSITIVE_COOKIE_NAME_SNIPPETS, + SENSITIVE_KEY_SNIPPETS, +} from '../utils/data-collection/filtering-snippets'; /** * Maximum size of incoming HTTP request bodies attached to events. @@ -258,67 +263,6 @@ function getAbsoluteUrl({ return undefined; } -const SENSITIVE_HEADER_SNIPPETS = [ - 'auth', - 'token', - 'secret', - 'session', // for the user_session cookie - 'password', - 'passwd', - 'pwd', - 'key', - 'jwt', - 'bearer', - 'sso', - 'saml', - 'csrf', - 'xsrf', - 'credentials', - // Always treat cookie headers as sensitive in case individual key-value cookie pairs cannot properly be extracted - 'set-cookie', - 'cookie', -]; - -/** - * Extra substrings matched only against individual Cookie / Set-Cookie **names** (not header names), - * so we can cover common session secrets that do not match {@link SENSITIVE_HEADER_SNIPPETS} - * (e.g. `connect.sid` does not contain `session`) without false positives on arbitrary HTTP headers. - * - * Cookie names are checked with the same `includes()` list as headers plus these entries; omit redundant - * cookie-only snippets that are already implied by a header match (e.g. `oauth` → `auth`, `id_token` → `token`, - * `next-auth` → `auth`). - */ -const SENSITIVE_COOKIE_NAME_SNIPPETS = [ - // Express / Connect default session cookie - '.sid', - // Opaque session ids (PHPSESSID, ASPSESSIONID*, BIGipServer*, *sessid*, …) - 'sessid', - // Laravel etc. "remember me" tokens - 'remember', - // OIDC / OAuth auxiliary (`oauth*` covered by header snippet `auth`) - 'oidc', - 'pkce', - 'nonce', - // RFC 6265bis high-security cookie name prefixes - '__secure-', - '__host-', - // Load balancer / CDN sticky-session cookies (opaque routing tokens) - 'awsalb', - 'awselb', - 'akamai', - // BaaS / IdP session cookies (names often omit "session") - '__stripe', - 'cognito', - 'firebase', - 'supabase', - 'sb-', - // Step-up / MFA cookies - 'mfa', - '2fa', -]; - -const PII_HEADER_SNIPPETS = ['x-forwarded-', '-user']; - /** * Converts incoming HTTP request or response headers to OpenTelemetry span attributes following semantic conventions. * Header names are converted to the format: http..header. @@ -434,8 +378,8 @@ function handleHttpHeader( isCookieSubKey: boolean = false, ): string | undefined { const snippetsForSensitivity = isCookieSubKey - ? [...SENSITIVE_HEADER_SNIPPETS, ...SENSITIVE_COOKIE_NAME_SNIPPETS] - : SENSITIVE_HEADER_SNIPPETS; + ? [...SENSITIVE_KEY_SNIPPETS, ...SENSITIVE_COOKIE_NAME_SNIPPETS] + : SENSITIVE_KEY_SNIPPETS; const isSensitive = sendPii ? snippetsForSensitivity.some(snippet => lowerCasedKey.includes(snippet)) From 883b266545e317db9310090e69e1c4b8ebdaea69 Mon Sep 17 00:00:00 2001 From: Sigrid <32902192+s1gr1d@users.noreply.github.com> Date: Mon, 18 May 2026 14:37:35 +0200 Subject: [PATCH 2/3] Update packages/core/src/utils/data-collection/filtering-snippets.ts Co-authored-by: Charly Gomez --- packages/core/src/utils/data-collection/filtering-snippets.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/core/src/utils/data-collection/filtering-snippets.ts b/packages/core/src/utils/data-collection/filtering-snippets.ts index 48a4bd0b5280..adb089d8d5de 100644 --- a/packages/core/src/utils/data-collection/filtering-snippets.ts +++ b/packages/core/src/utils/data-collection/filtering-snippets.ts @@ -16,7 +16,6 @@ export const SENSITIVE_KEY_SNIPPETS = [ 'csrf', 'xsrf', 'credentials', - 'session', 'sid', 'identity', // Always treat cookie headers as sensitive in case individual key-value cookie pairs cannot properly be extracted From c4d9f5c2dc591d393e08b58e97551bcddc8e9ef1 Mon Sep 17 00:00:00 2001 From: s1gr1d <32902192+s1gr1d@users.noreply.github.com> Date: Tue, 19 May 2026 10:18:25 +0200 Subject: [PATCH 3/3] filter ip value --- .../suites/public-api/startSpan-streamed/test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-packages/cloudflare-integration-tests/suites/public-api/startSpan-streamed/test.ts b/dev-packages/cloudflare-integration-tests/suites/public-api/startSpan-streamed/test.ts index 0319d3c1b298..da5ca1a91f4a 100644 --- a/dev-packages/cloudflare-integration-tests/suites/public-api/startSpan-streamed/test.ts +++ b/dev-packages/cloudflare-integration-tests/suites/public-api/startSpan-streamed/test.ts @@ -226,7 +226,7 @@ it('sends a streamed span envelope with correct spans for a manually started spa }, 'http.request.header.cf_connecting_ip': { type: 'string', - value: expect.stringMatching(/^(::1|127\.0\.0\.1)$/), + value: '[Filtered]', }, 'http.request.header.host': { type: 'string',