Security tokens might be exposed in cassettes

[zerogvt]

Security tokens (secrets) get also written down in cassettes. I noticed this in an enterprise environment (using octokit to interact with company's gh). My token was written down unencrypted and it just takes a simple grep for token into the cassettes to reveal it.
The token is generally not needed to replay cassettes so it could either be removed at the end of the http dialogue or not get written down in the first place.

[krainboltgreene]

There is no way for VCR to know what data in a request is secret or not.

[mcfiredrill]

Please use the filter sensitive data feature for this
https://relishapp.com/vcr/vcr/v/1-10-0/docs/configuration/filter-sensitive-data

[vfonic]

@krainboltgreene I have the same concern/issue like @zerogvt (and probably many other people, based on the simple search for "secret" https://github.com/vcr/vcr/issues?utf8=%E2%9C%93&q=secret).

I agree with you. It's impossible for VCR to know all the secrets and tokens.

However, I think it would be really helpful if there would be a mention of this in the README.

Yes, I see the link posted by @mcfiredrill. I've been using VCR for several years now and this is the first time I see that link. It's there, but not the easiest to find, yet I think it's important enough that it should be more visible.

[vfonic]

I've created a PR if you think this is worth merging: #783