Conversation
Redact Authorization header from OkHttp logs
There was a problem hiding this comment.
Pull request overview
Adds automatic redaction of sensitive authentication headers in OkHttp HTTP traffic logging within the Java Client to prevent credentials from being written to logs/console output.
Changes:
- Introduces a header-redaction helper in
OkHttpServicesand applies it to all OkHttp logging outputs (SLF4J logger / stdout / stderr). - Documents HTTP logging configuration and security risks in
CONTRIBUTING.md. - Adds a focused unit test suite validating redaction behavior without requiring a MarkLogic instance.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| marklogic-client-api/src/main/java/com/marklogic/client/impl/OkHttpServices.java | Adds redaction regex + helper and ensures all OkHttp log output paths redact sensitive headers. |
| CONTRIBUTING.md | Documents HTTP logging properties and includes a security warning for non-production use. |
| marklogic-client-api/src/test/java/com/marklogic/client/impl/RedactSensitiveHeadersTest.java | Adds unit tests for redaction behavior (single-line and multi-line messages). |
rjrudin
requested changes
Jun 18, 2026
Extract the OkHttp logging message handler and header-redaction logic from OkHttpServices into a dedicated RedactingHttpLogger class. Move the unit test to RedactingHttpLoggerTest in the same package. Revert CONTRIBUTING.md changes (HTTP logging docs belong in product documentation, not the contributor guide).
rjrudin
approved these changes
Jun 18, 2026
rjdew-progress
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When OkHttp HTTP traffic logging is enabled via the
com.marklogic.client.okhttp.httplogginginterceptor.levelsystem property,Authorizationandx-auth-tokenheader values are now automaticallyreplaced with
[REDACTED]before any log output is written — preventingcredentials from appearing in log files, stdout, or stderr.
Changes
OkHttpServices.javaredactSensitiveHeaders()method; applied to all three log output paths; pre-compiledPatternconstant; security Javadoc addedCONTRIBUTING.mdRedactSensitiveHeadersTest.javaJira Bug: https://progresssoftware.atlassian.net/browse/MLE-30240