Updated denylist to include other widely used cookies/headers (#1972)

* Updated denylist to include other widely used cookies/headers * Made check case insensitive
getsentry · Mar 22, 2023 · 665ab60 · 665ab60
1 parent f9ec128
commit 665ab60
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/sentry_sdk/scrubber.py b/sentry_sdk/scrubber.py
@@ -42,13 +42,27 @@
     "x_api_key",
     "x_forwarded_for",
     "x_real_ip",
+    # other common names used in the wild
+    "aiohttp_session",  # aiohttp
+    "connect.sid",  # Express
+    "csrf_token",  # Pyramid
+    "csrf",  # (this is a cookie name used in accepted answers on stack overflow)
+    "_csrf",  # Express
+    "_csrf_token",  # Bottle
+    "PHPSESSID",  # PHP
+    "_session",  # Sanic
+    "symfony",  # Symfony
+    "user_session",  # Vue
+    "_xsrf",  # Tornado
+    "XSRF-TOKEN",  # Angular, Laravel
 ]
 
 
 class EventScrubber(object):
     def __init__(self, denylist=None):
         # type: (Optional[List[str]]) -> None
         self.denylist = DEFAULT_DENYLIST if denylist is None else denylist
+        self.denylist = [x.lower() for x in self.denylist]
 
     def scrub_dict(self, d):
         # type: (Dict[str, Any]) -> None