From 2983183fe0f89b39363798fbff7ed8f399117c5d Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Mon, 12 Feb 2024 18:29:46 +0000
Subject: [PATCH] fix(server/logging): sensitive response headers should not be
 logged (#2039)

---
 packages/server/logging/expressLogging.ts | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/packages/server/logging/expressLogging.ts b/packages/server/logging/expressLogging.ts
index 3ed0ca38e5..d76c54ea1a 100644
--- a/packages/server/logging/expressLogging.ts
+++ b/packages/server/logging/expressLogging.ts
@@ -111,7 +111,20 @@ export const LoggingExpressMiddleware = HttpLogger({
       return {
         statusCode: res.raw.statusCode,
         // Allowlist useful headers
-        headers: resRaw.raw.headers,
+        headers: Object.fromEntries(
+          Object.entries(resRaw.raw.headers).filter(
+            ([key]) =>
+              ![
+                'set-cookie',
+                'authorization',
+                'cf-connecting-ip',
+                'true-client-ip',
+                'x-real-ip',
+                'x-forwarded-for',
+                'x-original-forwarded-for'
+              ].includes(key.toLocaleLowerCase())
+          )
+        ),
         userId: auth?.userId
       }
     })