Mask secrets in debug output

[tekumara]

Feature Description

Obfuscate or remove secrets in debug output, eg: the Api-Key value below has been replaced with ************:

time="2024-04-25T07:51:56Z" level=info msg="Request:\nPUT /collections/k6-load-test HTTP/1.1\nHost: myapp\nUser-Agent: k6/0.50.0 (https://k6.io/)\nContent-Length: 94\nApi-Key: ************\nContent-Type: application/json\nAccept-Encoding: gzip\n\n{\"vectors\":{\"size\":1536,\"distance\":\"Dot\"},\"replication_factor\":3,\"write_consistency_factor\":3}\n" group="::setup" iter=0 request_id=05651186-bbe5-41e0-7480-fa0a63214ecd source=http-debug vu=0

Suggested Solution (optional)

The easiest solution is probably to have a flag that disables outputting headers (which are the most likely location of secrets, tokens, api keys, cookies etc.) A more advanced solution could detect and mask based on high entropy.

Already existing or connected issues / PRs (optional)

No response

[codebien]

Honestly, it sounds like something unlikely to be developed in the current k6/http module directly from the k6 core team. At the moment the demand is not so high to justify the complexity it would bring to the API.

If you plan to contribute, we might consider it and discuss together an API.