From 7dfa1d0a41046ce94b8474247437ce4ea28e9ab8 Mon Sep 17 00:00:00 2001
From: bobby <1544881+desimone@users.noreply.github.com>
Date: Sun, 21 Jun 2020 10:07:30 -0700
Subject: [PATCH] authorize: only log headers if debug set (#940)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
---
 authorize/grpc.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/authorize/grpc.go b/authorize/grpc.go
index 84e7afb1a..0198fe876 100644
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/golang/protobuf/ptypes"
+	"github.com/rs/zerolog"
 
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/internal/grpc/databroker"
@@ -277,7 +278,6 @@ func logAuthorizeCheck(
 	evt = evt.Str("request-id", requestid.FromContext(ctx))
 	evt = evt.Str("check-request-id", hdrs["X-Request-Id"])
 	evt = evt.Str("method", hattrs.GetMethod())
-	evt = evt.Interface("headers", hdrs)
 	evt = evt.Str("path", hattrs.GetPath())
 	evt = evt.Str("host", hattrs.GetHost())
 	evt = evt.Str("query", hattrs.GetQuery())
@@ -287,5 +287,11 @@ func logAuthorizeCheck(
 		evt = evt.Int("status", reply.Status)
 		evt = evt.Str("message", reply.Message)
 	}
+
+	// potentially sensitive, only log if debug mode
+	if zerolog.GlobalLevel() <= zerolog.DebugLevel {
+		evt = evt.Interface("headers", hdrs)
+	}
+
 	evt.Msg("authorize check")
 }