fix: redact sse key in debug logs (#5231)

0xMALVEE · web-flow · commit 2676e50bc1b9 · 2025-07-16T08:35:03.000-07:00
diff --git a/cmd/client-s3-trace_v4.go b/cmd/client-s3-trace_v4.go
@@ -38,6 +38,7 @@ func newTraceV4() httptracer.HTTPTracer {
 // Request - Trace HTTP Request
 func (t traceV4) Request(req *http.Request) (err error) {
 	origAuth := req.Header.Get("Authorization")
+	sseKey := req.Header.Get("X-Amz-Server-Side-Encryption-Customer-Key")
 
 	printTrace := func() error {
 		reqTrace, rerr := httputil.DumpRequestOut(req, false) // Only display header
@@ -47,6 +48,11 @@ func (t traceV4) Request(req *http.Request) (err error) {
 		return rerr
 	}
 
+	if strings.TrimSpace(sseKey) != "" {
+		// Stripe out SSE-C key from: X-Amz-Server-Side-Encryption-Customer-Key=<key>
+		req.Header.Set("X-Amz-Server-Side-Encryption-Customer-Key", "**REDACTED**")
+	}
+
 	if strings.TrimSpace(origAuth) != "" {
 		// Authorization (S3 v4 signature) Format:
 		// Authorization: AWS4-HMAC-SHA256 Credential=AKIAJNACEGBGMXBHLEZA/20150524/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=bbfaa693c626021bcb5f911cd898a1a30206c1fad6bad1e0eb89e282173bd24c
