Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(node): Remove Cookie header from requestdata.headers if cookies s…
…hould not be sent to Sentry (#5898) When using the `Sentry.requestMiddleware` in Node (Express), users have the option to define which properties of the incoming requests should be added to the event that is sent to Sentry. Among other options, they can set * `headers` to add the request's http headers to `event.request.headers` * `cookies` to add the request's cookies to `event.request.cookies` However, there is a problem if `cookies` is not specified but `headers` is: The `Cookie` http header of the incoming request is still added to `event.request.headers` as it is treated like a normal http header. Therefore, cookie data (potentially containing sensitive data) is added to the event although users expect it to not be added. This patch this behaviour by removing the `Cookie` http header from the collected headers, if `cookies` is not specified in the requestHandler options but `headers` is. Additionally, it adds two tests to check this new behaviour. fixes #5458
- Loading branch information