Skip to content

Comments

Security: redact query strings + WS payloads from logs#206

Open
its-DeFine wants to merge 1 commit intocloudflare:mainfrom
its-DeFine:codex/redact-secrets-in-logs-20260208
Open

Security: redact query strings + WS payloads from logs#206
its-DeFine wants to merge 1 commit intocloudflare:mainfrom
its-DeFine:codex/redact-secrets-in-logs-20260208

Conversation

@its-DeFine
Copy link

@its-DeFine its-DeFine commented Feb 8, 2026

Redacts sensitive data from worker logs:

  • Never log URL query strings (often contain ?token=... / ?secret=...)
  • Stop logging WebSocket message payloads (may contain auth + user content)
  • CDP route: avoid logging request params

Motivation: prevent accidental credential leakage via logs.

PetrAnto pushed a commit to PetrAnto/moltworker that referenced this pull request Feb 24, 2026
@claude
fix(infra): upstream sync — bump OpenClaw, add WS redaction, R2 sync …
c1928fc 
…lock

- Bump openclaw 2026.2.3 → 2026.2.6-3 in Dockerfile (upstream PR cloudflare#204)
- Add redactWsPayload() to sanitize sensitive fields (api_key, token,
  auth, etc.) from WebSocket debug logs (upstream PR cloudflare#206)
- Add container-level lock file to prevent concurrent R2 sync operations,
  with 5-min stale lock cleanup (upstream PRs cloudflare#199, cloudflare#202)
- Add logging.test.ts for redaction utilities

https://claude.ai/code/session_01K2mQTABDGY7DnnposPdDjw
@PetrAnto PetrAnto mentioned this pull request Feb 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@its-DeFine