Skip to content

fix(mcp): redact sensitive headers in MCP request logs#8

Merged
Chat2DB-Pro merged 1 commit into
OtterMind:mainfrom
oopswoo3:fix/mcp-log-header-redaction
Jun 18, 2026
Merged

fix(mcp): redact sensitive headers in MCP request logs#8
Chat2DB-Pro merged 1 commit into
OtterMind:mainfrom
oopswoo3:fix/mcp-log-header-redaction

Conversation

@oopswoo3

Copy link
Copy Markdown
Contributor

Summary

  • 新增 SensitiveHeaderLogMask,对 apikeyAuthorizationcookie 等敏感 header 做掩码
  • UnifiedMultiTenancyFilterMcpLogger 请求日志改用脱敏后的 header map
  • 鉴权逻辑不变,仅影响日志与 MCP_FILE 落盘内容

Why

MCP 请求日志此前会原样记录 apikey(含 service_role JWT),生产环境 McpLogger 为 INFO 级别并写入文件,存在凭证泄露风险。

Test plan

  • mvn test -Dtest=SensitiveHeaderLogMaskTest

Mask apikey, Authorization, and related credentials before McpLogger writes
request headers to console and MCP_FILE, without changing auth behavior.
@Chat2DB-Pro Chat2DB-Pro merged commit a28b321 into OtterMind:main Jun 18, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants