diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 8b4c060..ddb58c6 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -14,10 +14,9 @@ dev
 - Support for Python 3.14 has been added.
 - Support for PyPy 3.11 has been added.
 
-
 **Bugfixes**
 
--
+- Headers marked as `sensitive` will no longer log their value at DEBUG level. Instead a placeholder value of `SENSITIVE_REDACTED` is logged.
 
 4.1.0 (2025-01-22)
 ------------------
diff --git a/src/hpack/hpack.py b/src/hpack/hpack.py
index 7e33e77..a017caa 100644
--- a/src/hpack/hpack.py
+++ b/src/hpack/hpack.py
@@ -284,16 +284,23 @@ def encode(self,
     def add(self, to_add: tuple[bytes, bytes], sensitive: bool, huffman: bool = False) -> bytes:
         """
         Serializes a header key-value tuple.
+
+        When sensitive is True, the header will not be added to the header table
+        (see https://www.rfc-editor.org/rfc/rfc7541.html#section-7.1.3 for details),
+        furthermore, the header value will be redacted in debug logs, as "SENSITIVE_REDACTED",
+        to prevent accidental exposure of sensitive information.
         """
+        name, value = to_add
+
+        display_value = value if not sensitive else b"SENSITIVE_REDACTED"
         log.debug(
-            "Adding %s to the header table, sensitive:%s, huffman:%s",
-            to_add,
+            "Adding %s=%s to the header table, sensitive:%s, huffman:%s",
+            name,
+            display_value,
             sensitive,
             huffman,
         )
 
-        name, value = to_add
-
         # Set our indexing mode
         indexbit = INDEX_INCREMENTAL if not sensitive else INDEX_NEVER