From 209e85186319165a6a998de342788dbf989a0b90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Barto=C5=A1?= Date: Thu, 20 Nov 2025 11:28:27 +0100 Subject: [PATCH] [Docs] Warn users about printing headers in HTTP access logs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #43156 Signed-off-by: Martin Bartoš --- docs/guides/server/logging.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/guides/server/logging.adoc b/docs/guides/server/logging.adoc index 1a058d8adba7..f39e61a3db5f 100644 --- a/docs/guides/server/logging.adoc +++ b/docs/guides/server/logging.adoc @@ -287,6 +287,9 @@ You can even specify your own pattern with your required data to be logged, such <@kc.start parameters="--http-access-log-pattern='%A %{METHOD} %{REQUEST_URL} %{i,User-Agent}'"/> +WARNING: HTTP Access logs may contain sensitive HTTP headers like `Authorization`, `Cookie`, or external API keys references. +Be careful with using the `long` pattern or printing the headers by the custom format - you should use it only for development purposes. + Consult the https://quarkus.io/guides/http-reference#configuring-http-access-logs[Quarkus documentation] for the full list of variables that can be used. === Exclude specific URL paths