[IMP] api_log: Hide sensitive headers

Author: SirPyTech

api_log/models/api_log.py

@@ -59,9 +59,30 @@ class APILog(models.Model):
         compute="_compute_response_headers_derived", store=True
     )
 
+    @api.model
+    def _headers_hidden_keys(self):
+        """Header keys that should not be logged.
+
+        They might contains sensitive data.
+        """
+        return (
+            "Api-Key",
+            "Cookie",
+        )
+
+    @api.model
+    def _sanitize_headers_dict(self, headers_dict):
+        keys_to_hide = self._headers_hidden_keys()
+        for key in headers_dict:
+            if key in keys_to_hide:
+                headers_dict[key] = "<redacted>"
+        return headers_dict
+
+    @api.model
     def _headers_to_dict(self, headers):
         try:
-            return {key.lower(): value for key, value in headers.items()}
+            headers_dict = {key: value for key, value in headers.items()}
+            return self._sanitize_headers_dict(headers_dict)
         except AttributeError:
             return {}
 

api_log/tests/test_api_log.py

@@ -12,14 +12,23 @@
 class TestAPILog(CommonAPILog):
     def test_log_request(self):
         base_url = self.base_url()
+        secret_api_key = "my-secret-api-key"
+        secret_cookie = "my-secret-biscuit"
         request = requests.Request(
+            headers={
+                "Api-Key": secret_api_key,
+                "Cookie": secret_cookie,
+            },
             url=base_url,
             method="GET",
         )
         log = self.log_model.log_request(request)
 
         self.assertEqual(log.request_url, base_url)
         self.assertEqual(log.request_method, "GET")
+        headers_dict = log.request_headers.values()
+        self.assertNotIn(secret_api_key, headers_dict)
+        self.assertNotIn(secret_cookie, headers_dict)
 
     def test_log_response(self):
         response = Response()