fix: sanitize Proxy-Authorization header in recovery panic logs

secureRequestDump only masks the Authorization header but not Proxy-Authorization, which also carries credentials (used by gin's own BasicAuthForProxy middleware). When a panic occurs behind proxy auth, credentials are logged in plaintext.
2026-04-29 23:23:18 +08:00 · 2026-04-09 06:10:47 -07:00 · 2026-04-09 06:10:47 -07:00 · 08e51b48be
commit 08e51b48be
parent cf3be80b0e
1 changed files with 2 additions and 2 deletions
--- a/recovery.go
+++ b/recovery.go
@ -99,8 +99,8 @@ func secureRequestDump(r *http.Request) string {
 	httpRequest, _ := httputil.DumpRequest(r, false)
 	lines := strings.Split(bytesconv.BytesToString(httpRequest), "\r\n")
 	for i, line := range lines {
-		if strings.HasPrefix(line, "Authorization:") {
-			lines[i] = "Authorization: *"
+		if strings.HasPrefix(line, "Authorization:") || strings.HasPrefix(line, "Proxy-Authorization:") {
+			lines[i] = strings.SplitN(line, ":", 2)[0] + ": *"
 		}
 	}
 	return strings.Join(lines, "\r\n")