Skip to content

fix(security): redact auth headers from OkHttp logging#4816

Open
IvanBila wants to merge 1 commit into
dhis2:mainfrom
IvanBila:fix/redact-auth-headers-logging
Open

fix(security): redact auth headers from OkHttp logging#4816
IvanBila wants to merge 1 commit into
dhis2:mainfrom
IvanBila:fix/redact-auth-headers-logging

Conversation

@IvanBila
Copy link
Copy Markdown

@IvanBila IvanBila commented Apr 20, 2026

Summary

logging-interceptor:4.12.0 is on the runtime classpath (force-pinned in app/build.gradle.kts), but no app-owned HttpLoggingInterceptor exists with redactHeader(...) configured. A misconfigured dev build or a future SDK change that enables body-level logging would leak Authorization to logcat.

Change

  • Register one shared HttpLoggingInterceptor on D2Configuration.networkInterceptors in ServerModule.getD2Configuration(...).
  • redactHeader("Authorization"), "Cookie", "Set-Cookie", "Proxy-Authorization".
  • Level: BASIC in debug, NONE in release.

Test plan

  • Debug build: logcat shows method + URL for each request; Authorization: ██ when BODY is enabled locally.
  • Release build: logcat shows no request lines from this interceptor.
  • Login + sync still work (sanity check the chain didn't break).

@IvanBila
fix(security): redact auth headers from OkHttp logging
14dfb9b 
Register a single app-owned HttpLoggingInterceptor on the SDK's
D2Configuration.networkInterceptors with redactHeader("Authorization"),
"Cookie", "Set-Cookie" and "Proxy-Authorization". Level is NONE in
release and BASIC in debug, so even a developer flipping levels for
local debugging will not leak credentials via logcat.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@IvanBila