authorization headers sensitive data leaks in debug logs

[ghost]

when log level is set to debug, the request object is logged. this prints all headers, including authorization header. in case a user has implemented their own credentials mechanism, for example, since Realm object was not sufficient for the authorization scheme (or any other reason) sensitive information can leak. Bearer scheme authorization is one such example.

a simple fix is to not log authorization headers: when iterating the headers, if the header key is authorization, print something like * authorization data skipped *

this is a simple straighforward solution that is very robust, no matter why the user set headers themselves, no authorization header leak is possible (on the client side), assuming underlying implementation (such as netty) doesn't also log all headers.

[TomGranot]

@grunzwei Going to look at this a bit later today - please ping me if I forget.

[grunzwei]

Ping?

[TomGranot]

@grunzwei I'll be taking over maintainership of the repo in the next few days, so more info to come. :)

[grunzwei]

Congrats and goodluck

[TomGranot]

@grunzwei Did not forget about this - on the list:) If this is still relevant to you then please feel free to open a PR (if not, I'll get to it soon enough).