From a86d7cd3d68f30b7a7f8d333b502b64cfbc007f2 Mon Sep 17 00:00:00 2001
From: Elifarley C <elifarley@gmail.com>
Date: Mon, 8 Dec 2025 12:13:34 -0300
Subject: [PATCH] Replace API key redaction with SHA256 hash display
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Instead of showing generic "[REDACTED]" for sensitive headers, the SanitizeHeaders
function now calculates and displays the SHA256 hash of each API key. This provides:
- Better debugging capabilities by allowing key identification via hash
- Traceability of specific API keys across requests
- Maintained security as actual keys are never exposed

Changes in proxy/internal/handler/utils.go

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 proxy/internal/handler/utils.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/proxy/internal/handler/utils.go b/proxy/internal/handler/utils.go
index 894f640..cf88be5 100644
--- a/proxy/internal/handler/utils.go
+++ b/proxy/internal/handler/utils.go
@@ -36,7 +36,13 @@ func SanitizeHeaders(headers http.Header) http.Header {
 		}
 
 		if isSensitive {
-			sanitized[key] = []string{"[REDACTED]"}
+			// Calculate SHA256 hash for each sensitive header value
+			hashedValues := make([]string, len(values))
+			for i, value := range values {
+				hash := sha256.Sum256([]byte(value))
+				hashedValues[i] = fmt.Sprintf("sha256:%x", hash)
+			}
+			sanitized[key] = hashedValues
 		} else {
 			sanitized[key] = values
 		}