python-hyper · Kriechi · Mar 15, 2026 · Mar 13, 2026 · Mar 15, 2026 · Mar 15, 2026
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -14,10 +14,9 @@ dev
 - Support for Python 3.14 has been added.
 - Support for PyPy 3.11 has been added.
 
-
 **Bugfixes**
 
--
+- Prevent sensitive headers from being leaked
 
 4.1.0 (2025-01-22)
 ------------------

diff --git a/src/hpack/hpack.py b/src/hpack/hpack.py
@@ -284,16 +284,22 @@ def encode(self,
     def add(self, to_add: tuple[bytes, bytes], sensitive: bool, huffman: bool = False) -> bytes:
         """
         Serializes a header key-value tuple.
+
+        When sensitive is True, the header will not be added to the header table,
+        furthermore, the header value will be redacted in debug logs, as "SENSITIVE_REDACTED",
+        to prevent accidental exposure of sensitive information.
         """
+        name, value = to_add
+
+        display_value = value if not sensitive else b"SENSITIVE_REDACTED"
         log.debug(
-            "Adding %s to the header table, sensitive:%s, huffman:%s",
-            to_add,
+            "Adding %s=%s to the header table, sensitive:%s, huffman:%s",
+            name,
+            display_value,
             sensitive,
             huffman,
         )
 
-        name, value = to_add
-
         # Set our indexing mode
         indexbit = INDEX_INCREMENTAL if not sensitive else INDEX_NEVER