From 6b99d126da4c38cd5a5c4d6306fd30f05fd93d3c Mon Sep 17 00:00:00 2001
From: David Francoeur <dfrancoeur04@gmail.com>
Date: Fri, 13 Mar 2026 15:41:12 -0400
Subject: [PATCH] prevent sensitive header value being logged

---
 CHANGELOG.rst      |  3 +--
 src/hpack/hpack.py | 14 ++++++++++----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 8b4c060..22eb2ee 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -14,10 +14,9 @@ dev
 - Support for Python 3.14 has been added.
 - Support for PyPy 3.11 has been added.
 
-
 **Bugfixes**
 
--
+- Prevent sensitive headers from being leaked
 
 4.1.0 (2025-01-22)
 ------------------
diff --git a/src/hpack/hpack.py b/src/hpack/hpack.py
index 7e33e77..5efcf92 100644
--- a/src/hpack/hpack.py
+++ b/src/hpack/hpack.py
@@ -284,16 +284,22 @@ def encode(self,
     def add(self, to_add: tuple[bytes, bytes], sensitive: bool, huffman: bool = False) -> bytes:
         """
         Serializes a header key-value tuple.
+
+        When sensitive is True, the header will not be added to the header table,
+        furthermore, the header value will be redacted in debug logs, as "SENSITIVE_REDACTED",
+        to prevent accidental exposure of sensitive information.
         """
+        name, value = to_add
+
+        display_value = value if not sensitive else b"SENSITIVE_REDACTED"
         log.debug(
-            "Adding %s to the header table, sensitive:%s, huffman:%s",
-            to_add,
+            "Adding %s=%s to the header table, sensitive:%s, huffman:%s",
+            name,
+            display_value,
             sensitive,
             huffman,
         )
 
-        name, value = to_add
-
         # Set our indexing mode
         indexbit = INDEX_INCREMENTAL if not sensitive else INDEX_NEVER