fix: don't expose sensible data

Signed-off-by: David Weber <david.weber@w3tec.ch>
2023-05-24 20:53:36 +02:00
parent 0eea1e0304
commit 95987388f2
2 changed files with 16 additions and 1 deletions
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-proxy-backend': patch
+---
+
+The headers `Authorization` and `X-Api-Key` are sensitive and must be declared a secret.
@@ -31,7 +31,17 @@ export interface Config {
          /**
           * Object with extra headers to be added to target requests.
           */
-          headers?: { [key: string]: string };
+          headers?: Partial<{
+            /** @visibility secret */
+            Authorization: string;
+            /** @visibility secret */
+            authorization: string;
+            /** @visibility secret */
+            'X-Api-Key': string;
+            /** @visibility secret */
+            'x-api-key': string;
+            [key: string]: string;
+          }>;
          /**
           * Changes the origin of the host header to the target URL. Default: true.
           */