Obfuscation potentially mutates req/res data

[xdissent]

If you add an obfuscate option like obfuscate: ['body.password'] and attempt to access req.body.password after the req has been logged (immediate: true for example), you'll receive [HIDDEN] as the value for req.body.password. The logger should deep copy the req/res data (body, headers), rather than assigning, to prevent mutation.

[jingram-classy]

We provided an optimization to do work after express returned and turns out our sensitive but important information is clobbered by [HIDDEN] string.