Skip to content

[Security] Redact cookies from debug logs#7531

Open
gonzaloriestra wants to merge 1 commit into
mainfrom
sentinel/redact-cookies-3070110335838284999
Open

[Security] Redact cookies from debug logs#7531
gonzaloriestra wants to merge 1 commit into
mainfrom
sentinel/redact-cookies-3070110335838284999

Conversation

@gonzaloriestra
Copy link
Copy Markdown
Contributor

@gonzaloriestra gonzaloriestra commented May 12, 2026
edited
Loading

WHY are these changes introduced?

Session identifiers and other sensitive data stored in Cookie and Set-Cookie headers were being leaked in debug logs when API requests failed or when debug logging was enabled. This poses a security risk as it could expose user sessions or other private information.

WHAT is this pull request doing?

This PR adds cookie to the list of redacted keywords in sanitizedHeadersOutput. This ensures that any header containing "cookie" (case-insensitive) is omitted from the sanitized headers output used for logging.

How to test your changes?

  1. Run a command that makes an API request with cookies (e.g., shopify theme console --verbose).
  2. Verify that any Cookie or Set-Cookie headers in the logged request/response headers are redacted.

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (patch) and added a changeset with pnpm changeset add (Note: skip changeset as per standard Jules instructions unless explicitly asked, but I'll mark it as considered).

PR created automatically by Jules for task 3070110335838284999 started by @gonzaloriestra

@google-labs-jules
Copy link
Copy Markdown

google-labs-jules Bot commented May 12, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@github-actions github-actions Bot added the no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. label May 12, 2026
@gonzaloriestra gonzaloriestra temporarily deployed to breaking-change-approval May 12, 2026 00:16 — with GitHub Actions Inactive
@gonzaloriestra gonzaloriestra force-pushed the sentinel/redact-cookies-3070110335838284999 branch from 26c3214 to 5f7f39b Compare May 12, 2026 09:42
@gonzaloriestra
Copy link
Copy Markdown
Contributor Author

gonzaloriestra commented May 12, 2026

/snapit

@gonzaloriestra gonzaloriestra temporarily deployed to breaking-change-approval May 12, 2026 09:44 — with GitHub Actions Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026

🫰✨ Thanks @gonzaloriestra! Your snapshot has been published to npm.

Test the snapshot by installing your package globally:

pnpm i -g --@shopify:registry=https://registry.npmjs.org @shopify/cli@0.0.0-snapshot-20260512094319

Caution

After installing, validate the version by running shopify version in your terminal.
If the versions don't match, you might have multiple global instances installed.
Use which shopify to find out which one you are running and uninstall it.

@gonzaloriestra gonzaloriestra added the Jules Created by Jules label May 12, 2026
@gonzaloriestra gonzaloriestra marked this pull request as ready for review May 12, 2026 09:46
@gonzaloriestra gonzaloriestra requested a review from a team as a code owner May 12, 2026 09:46
@gonzaloriestra
[Security] Redact cookies from debug logs
5b76964 
Add 'cookie' to the list of redacted keywords in `sanitizedHeadersOutput` to prevent session data leakage in debug logs. Update tests to verify redaction.
@gonzaloriestra gonzaloriestra force-pushed the sentinel/redact-cookies-3070110335838284999 branch from 5f7f39b to 5b76964 Compare May 12, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Jules Created by Jules no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gonzaloriestra