@spfn/monitor 0.1.0-beta.21 → 0.1.0-beta.22

package/dist/server.js

@@ -3290,6 +3290,45 @@ var monitorRouter = defineRouter({
 
 // src/server/integrations/error-handler.ts
 import { getMinStatusCode } from "@spfn/monitor/config";
+var SENSITIVE_HEADERS = /* @__PURE__ */ new Set([
+  "authorization",
+  "proxy-authorization",
+  "cookie",
+  "set-cookie",
+  "x-api-key",
+  "x-auth-token",
+  "x-csrf-token",
+  "x-xsrf-token",
+  "x-spfn-proxy-signature",
+  "x-amz-security-token"
+]);
+var SENSITIVE_QUERY = /* @__PURE__ */ new Set([
+  "token",
+  "access_token",
+  "refresh_token",
+  "id_token",
+  "code",
+  "secret",
+  "client_secret",
+  "password",
+  "passwd",
+  "pwd",
+  "api_key",
+  "apikey",
+  "key",
+  "signature",
+  "sig",
+  "session",
+  "sessionid",
+  "auth"
+]);
+function redact(obj, deny) {
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    out[k] = deny.has(k.toLowerCase()) ? "***" : v;
+  }
+  return out;
+}
 var logger4 = monitorLogger.errorTracking;
 function createMonitorErrorHandler(options = {}) {
   return async (err, ctx) => {
@@ -3303,8 +3342,10 @@ function createMonitorErrorHandler(options = {}) {
       method: ctx.method,
       requestId: ctx.requestId,
       userId: ctx.userId != null ? String(ctx.userId) : void 0,
-      headers: ctx.request.headers,
-      query: ctx.request.query,
+      // Redact secrets before they are persisted (error_events.headers) and
+      // forwarded to Slack (S-H3 / S-M2 / S-L3).
+      headers: redact(ctx.request.headers, SENSITIVE_HEADERS),
+      query: redact(ctx.request.query, SENSITIVE_QUERY),
       environment: options.environment
     };
     const metadata = options.extractMetadata?.(err, trackingCtx);