Authorization Headers not scrubbed (Django Rest Framework)

[dblanchette]

Not 100% sure if this is a bug or feature request

Environment

How do you use Sentry? Self-hosted 21.7.0 6a3c273

Which SDK and version? Python 3.8.12 sentry-sdk 1.4.1 Django 3.2.3 Django Rest Framework 3.12.4

Steps to Reproduce

1. Create a DRF project using the versions provided above and have authenticated calls
2. Add sentry with init_sentry:

init(
        dsn=dsn,
        attach_stacktrace=True,
        request_bodies="always",
        with_locals=True,
        integrations=[
            DjangoIntegration(),
            LoggingIntegration(level=logging.DEBUG, event_level=logging.ERROR),
        ],
        traces_sample_rate=1.0,
        send_default_pii=True,
        release=getenv("API_VERSION"),
        environment=environment,
    )

3. Run the server and do an authenticated request

Expected Result

The Authorization header is not sent to Sentry

Actual Result

Authorization header is sent to Sentry

My investigation

The headers are added as part of the request object here. The _filter_headers method at the end of the same file seems like what I need, but it is not called here.

I see the Ruby Integration has a sanitize_http_headers option which would achieve what I need.

If I want to open the PR myself which option would be preferable: Calling _filter_headers, adding a sanitize_http_headers option, or something else?

Thank you for your time

[dblanchette]

Looking more into the code and testing, I realize send_default_pii controls whther to filter the Authorization header or not.

It would be best to have a separate setting because we might still want to know about the users without leaking their tokens, but it solves my issue for now.

[AbhiPrasad]

Thanks for writing in. We will improve our docs around this.

[sl0thentr0py]

we have an event scrubber now that should take care of this https://docs.sentry.io/platforms/python/data-management/sensitive-data/#event_scrubber