Skip to content

ref(integrations): route HTTP header filtering through data collection config#6788

Open
ericapisani wants to merge 21 commits into
masterfrom
py-2584-update-wsgi-filter-headers
Open

ref(integrations): route HTTP header filtering through data collection config#6788
ericapisani wants to merge 21 commits into
masterfrom
py-2584-update-wsgi-filter-headers

Conversation

@ericapisani

@ericapisani ericapisani commented Jul 8, 2026

Copy link
Copy Markdown
Member

_filter_headers follows the legacy send_default_pii/use_annotated_value behaviour when the data collection behaviour is not enabled in _experiments.

When data collection is enabled, it now delegates to _apply_key_value_collection_filtering from sentry_sdk.data_collection, so header scrubbing respects the new data_collection.http_headers.request allowlist/denylist/off configuration when data collection.

Work to scrub cookies in a more granular way will be tackled as part of PY-2581/#6741.

Fixes PY-2584
Fixes #6744

…n config

`_filter_headers` previously used a hardcoded sensitive-header tuple and a
`send_default_pii`/`use_annotated_value` toggle. It now delegates to
`_apply_key_value_collection_filtering` from `sentry_sdk.data_collection`,
so header scrubbing respects the new `data_collection.http_headers.request`
allowlist/denylist/off configuration.

Cookie and set-cookie headers are
always redacted regardless of mode. Drops the now-unused
`use_annotated_value` parameter from all call sites.

Work to scrub cookies in a more granular way will be tackled as part of
PY-2581/#6741.

Fixes PY-2584
Fixes #6744
@linear-code

linear-code Bot commented Jul 8, 2026

Copy link
Copy Markdown

PY-2584

PY-2581

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Codecov Results 📊

92149 passed | ⏭️ 6302 skipped | Total: 98451 | Pass Rate: 93.6% | Execution Time: 314m 21s

📊 Comparison with Base Branch

Metric Change
Total Tests 📈 +295
Passed Tests 📈 +296
Failed Tests 📉 -1
Skipped Tests

➖ Removed Tests (1)

View removed tests
  • test_trace_decorator_async_no_trx
    • File: tests.tracing.test_decorator

All tests are passing successfully.

✅ Patch coverage is 100.00%. Project has 2478 uncovered lines.
✅ Project coverage is 89.69%. Comparing base (base) to head (head).

Files with missing lines (1)
File Patch % Lines
sentry_sdk/data_collection.py 100.00% ⚠️ 1 partials
Coverage diff
@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    89.68%    89.69%    +0.01%
==========================================
  Files          193       193         —
  Lines        24004     24045       +41
  Branches      8340      8370       +30
==========================================
+ Hits         21527     21567       +40
- Misses        2477      2478        +1
- Partials      1386      1389        +3

Generated by Codecov Action

Comment thread sentry_sdk/data_collection.py
Comment thread sentry_sdk/integrations/_wsgi_common.py
…ures

The new lambda_functions_with_embedded_sdk fixture directories were
missing the .gitignore that the other fixtures use to keep everything
except index.py untracked. As a result, certifi and urllib3 packages
installed by the test setup got committed, and ruff failed CI linting
against them since they're unmodified third-party code.

Add the missing .gitignore to each new fixture directory and remove
the committed vendored packages; they are regenerated automatically at
test time via `uv pip install --target`.
Comment on lines +118 to +122
headers = _get_headers(asgi_scope)

request_data["headers"] = _filter_headers(
headers,
use_annotated_value=False,

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was done because when if the headers are filtered with "allowlist" and no terms are provided, and the "host" header is present, then the constructed URL in _get_url below would contain [Filtered] within the URL.

Doing this ensures that it gets filtered from the headers to respect data collection, but still correctly appears in the url

@ericapisani ericapisani marked this pull request as ready for review July 9, 2026 22:48
@ericapisani ericapisani requested a review from a team as a code owner July 9, 2026 22:48
…n config

`_filter_headers` previously used a hardcoded sensitive-header tuple and a
`send_default_pii`/`use_annotated_value` toggle. It now delegates to
`_apply_key_value_collection_filtering` from `sentry_sdk.data_collection`,
so header scrubbing respects the new `data_collection.http_headers.request`
allowlist/denylist/off configuration.

Cookie and set-cookie headers are
always redacted regardless of mode. Drops the now-unused
`use_annotated_value` parameter from all call sites.

Work to scrub cookies in a more granular way will be tackled as part of
PY-2581/#6741.

Fixes PY-2584
Fixes #6744
…ures

The new lambda_functions_with_embedded_sdk fixture directories were
missing the .gitignore that the other fixtures use to keep everything
except index.py untracked. As a result, certifi and urllib3 packages
installed by the test setup got committed, and ruff failed CI linting
against them since they're unmodified third-party code.

Add the missing .gitignore to each new fixture directory and remove
the committed vendored packages; they are regenerated automatically at
test time via `uv pip install --target`.
@ericapisani ericapisani force-pushed the py-2584-update-wsgi-filter-headers branch from 951c408 to d717172 Compare July 14, 2026 17:43
…ntry/sentry-python into py-2584-update-wsgi-filter-headers
Comment thread sentry_sdk/data_collection.py
@ericapisani ericapisani marked this pull request as draft July 15, 2026 19:23
The streaming path no longer emits a client span when there is no current
span (#6810), so unpack only the server span.
@ericapisani ericapisani marked this pull request as ready for review July 15, 2026 19:47
Comment on lines +136 to 138


def _map_from_send_default_pii(

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The _filter_headers function unconditionally redacts Cookie and Set-Cookie headers, ignoring the user's data_collection allowlist configuration and preventing cookie capture.
Severity: MEDIUM

Suggested Fix

Remove the hardcoded redaction loop for Cookie and Set-Cookie headers from the _filter_headers function. The _apply_key_value_collection_filtering function should be the sole authority for filtering based on the user's configuration. If cookies need special default handling, they should be added to the _SENSITIVE_DENYLIST so users can override the behavior via the allowlist.

Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: sentry_sdk/data_collection.py#L136-L138

Potential issue: The `_filter_headers` function unconditionally redacts `Cookie` and
`Set-Cookie` headers, even when a user explicitly includes them in the
`data_collection.http_headers.request` allowlist. While the initial filtering step
correctly respects the allowlist, a subsequent hardcoded loop overwrites the cookie
values with `SENSITIVE_DATA_SUBSTITUTE`. This behavior is confirmed by a test case which
states that cookies are "always redacted...even when explicitly allowlisted". This
prevents users from capturing cookie values via the data collection API, silently
ignoring their explicit configuration and creating inconsistent behavior compared to
other allowlisted headers.

Also affects:

  • sentry_sdk/integrations/_wsgi_common.py
  • tests/integrations/wsgi/test_wsgi.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Update _filter_headers to check data collection settings when available

1 participant