feat(core): Parse individual cookies from cookie header by s1gr1d · Pull Request #18325 · getsentry/sentry-javascript

s1gr1d · 2025-11-25T13:59:13Z

Parse each individual cookie header and filter sensitive cookies to at least know which keys the cookie string included.

Follow-up on #18311

Closes #18441

packages/core/src/utils/request.ts

@@ -180,6 +196,26 @@ export function httpHeadersToSpanAttributes(
  return spanAttributes;
 }


github-actions · 2025-11-25T14:06:25Z

size-limit report 📦

Path	Size	% Change	Change
@sentry/browser	24.8 kB	-	-
@sentry/browser - with treeshaking flags	23.31 kB	-	-
@sentry/browser (incl. Tracing)	41.54 kB	-	-
@sentry/browser (incl. Tracing, Profiling)	46.13 kB	-	-
@sentry/browser (incl. Tracing, Replay)	79.96 kB	-	-
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags	69.69 kB	-	-
@sentry/browser (incl. Tracing, Replay with Canvas)	84.64 kB	-	-
@sentry/browser (incl. Tracing, Replay, Feedback)	96.88 kB	-	-
@sentry/browser (incl. Feedback)	41.48 kB	-	-
@sentry/browser (incl. sendFeedback)	29.49 kB	-	-
@sentry/browser (incl. FeedbackAsync)	34.47 kB	-	-
@sentry/react	26.52 kB	-	-
@sentry/react (incl. Tracing)	43.74 kB	-	-
@sentry/vue	29.25 kB	-	-
@sentry/vue (incl. Tracing)	43.34 kB	-	-
@sentry/svelte	24.82 kB	-	-
CDN Bundle	27.21 kB	-	-
CDN Bundle (incl. Tracing)	42.21 kB	-	-
CDN Bundle (incl. Tracing, Replay)	78.75 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback)	84.2 kB	-	-
CDN Bundle - uncompressed	79.96 kB	-	-
CDN Bundle (incl. Tracing) - uncompressed	125.34 kB	-	-
CDN Bundle (incl. Tracing, Replay) - uncompressed	241.37 kB	-	-
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed	254.13 kB	-	-
@sentry/nextjs (client)	45.96 kB	-	-
@sentry/sveltekit (client)	41.9 kB	-	-
@sentry/node-core	51.5 kB	+0.46%	+232 B 🔺
@sentry/node	159.76 kB	+0.15%	+239 B 🔺
@sentry/node - without tracing	92.85 kB	-0.01%	-1 B 🔽
@sentry/aws-serverless	108.38 kB	+0.22%	+234 B 🔺

View base workflow run

github-actions · 2025-11-25T14:08:16Z

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario	Requests/s	% of Baseline	Prev. Requests/s	Change %
GET Baseline	11,507	-	8,693	+32%
GET With Sentry	2,054	18%	1,701	+21%
GET With Sentry (error only)	7,896	69%	6,002	+32%
POST Baseline	1,219	-	1,196	+2%
POST With Sentry	618	51%	595	+4%
POST With Sentry (error only)	1,088	89%	1,057	+3%
MYSQL Baseline	4,061	-	3,301	+23%
MYSQL With Sentry	630	16%	599	+5%
MYSQL With Sentry (error only)	3,342	82%	2,666	+25%

View base workflow run

packages/core/src/utils/request.ts

Lms24

I think bugbot is right with the cookie/set-cookie difference, so let's double check this.

one more Q: Do we need to adjust the semantic conventions for "sub" http headers? From what I can tell the spec covers arbitrary keys afoter http.request.headers.<key> but I just want to make sure <key> could contain another . as in the cookie header attribute case.

Lms24 · 2025-11-26T08:15:40Z

packages/core/src/utils/request.ts

-      } else if (typeof value === 'string') {
-        spanAttributes[normalizedKey] = value;
+      const lowerCasedHeaderKey = key.toLowerCase();
+      const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';


l: probably saves us a few bytes:

Suggested change

const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';

const isCookieHeader = /^(set-)cookie$?/.test(lowerCasedHeaderKey)

Lms24 · 2025-11-26T08:36:45Z

packages/core/src/utils/request.ts

+      const lowerCasedHeaderKey = key.toLowerCase();
+      const isCookieHeader = lowerCasedHeaderKey === 'cookie' || lowerCasedHeaderKey === 'set-cookie';
+
+      if (isCookieHeader && typeof value === 'string' && value !== '') {


q: do we handle arrays of cookie headers? (or is this not relevant for cookie/set-cookie?)

For the sake of simplicity (as cookies are one string), an array would just be parsed as ...header.cookie: [Filtered]. There is also a test that checks that a cookie attribute is always filtered.

Lms24 · 2025-11-26T08:40:24Z

packages/core/test/lib/utils/request.test.ts

+      });
+
+      it('attaches and filters sensitive a set-cookie header', () => {
+        const headers1 = { 'Set-Cookie': 'user_session=def456' };


l: let's add or adjust a test here for a set-cookie header with additional properties (e.g. like max-age)

packages/node-core/src/integrations/http/httpServerSpansIntegration.ts

packages/core/src/utils/request.ts

+        const isSetCookie = lowerCasedHeaderKey === 'set-cookie';
+        const semicolonIndex = value.indexOf(';');


packages/sveltekit/src/server-common/handle.ts

feat(core): Parse individual cookies from cookie header

22cb73e

s1gr1d requested review from Lms24 and andreiborza November 25, 2025 13:59

sentry bot reviewed Nov 25, 2025

View reviewed changes

packages/core/src/utils/request.ts

@@ -180,6 +196,26 @@ export function httpHeadersToSpanAttributes(

return spanAttributes;

}

This comment was marked as outdated.

Sign in to view

s1gr1d added 2 commits November 25, 2025 15:52

check for multiple = sign in cookie value

27cc608

fix failing tests

5a8f350

cursor bot reviewed Nov 25, 2025

View reviewed changes

packages/core/src/utils/request.ts Outdated Show resolved Hide resolved

packages/core/src/utils/request.ts Show resolved Hide resolved

s1gr1d added 3 commits November 25, 2025 15:58

fix linting problem

e5407f0

handle undefined case

1b4d3c5

handle undefined type case

f3231a3

Lms24 reviewed Nov 26, 2025

View reviewed changes

s1gr1d added 2 commits December 9, 2025 11:05

handle set-cookie with attributes

0a6a4b2

Merge branch 'develop' into sig/cookie-headers

d3de185

This was referenced Dec 9, 2025

feat(core): Parse individual cookies from cookie header #18440

Closed

feat(core): Parse individual cookies from cookie header #18441

Closed

sentry bot reviewed Dec 9, 2025

View reviewed changes

packages/node-core/src/integrations/http/httpServerSpansIntegration.ts Show resolved Hide resolved

s1gr1d added 2 commits December 9, 2025 11:20

add missing argument

51656f0

fix typo

01afe8c

sentry bot reviewed Dec 9, 2025

View reviewed changes

packages/core/src/utils/request.ts

Comment on lines +179 to +180

const isSetCookie = lowerCasedHeaderKey === 'set-cookie';

const semicolonIndex = value.indexOf(';');

This comment was marked as outdated.

Sign in to view

cursor bot reviewed Dec 9, 2025

View reviewed changes

packages/sveltekit/src/server-common/handle.ts Outdated Show resolved Hide resolved

fix import

0e91b47

Lms24 approved these changes Dec 10, 2025

View reviewed changes

s1gr1d merged commit ec8c8c6 into develop Dec 10, 2025
206 checks passed

s1gr1d deleted the sig/cookie-headers branch December 10, 2025 14:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(core): Parse individual cookies from cookie header#18325

feat(core): Parse individual cookies from cookie header#18325
s1gr1d merged 11 commits intodevelopfrom
sig/cookie-headers

s1gr1d commented Nov 25, 2025 •

edited by github-actions bot

Loading

Uh oh!

This comment was marked as outdated.

Uh oh!

github-actions bot commented Nov 25, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Nov 25, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Lms24 left a comment

Uh oh!

Lms24 Nov 26, 2025

Uh oh!

Lms24 Nov 26, 2025

Uh oh!

s1gr1d Dec 9, 2025

Uh oh!

Lms24 Nov 26, 2025

Uh oh!

Uh oh!

This comment was marked as outdated.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

		@@ -180,6 +196,26 @@ export function httpHeadersToSpanAttributes(
		return spanAttributes;
		}

	const isCookieHeader = lowerCasedHeaderKey === 'cookie' \|\| lowerCasedHeaderKey === 'set-cookie';
	const isCookieHeader = /^(set-)cookie$?/.test(lowerCasedHeaderKey)

		const isSetCookie = lowerCasedHeaderKey === 'set-cookie';
		const semicolonIndex = value.indexOf(';');

Uh oh!

Conversation

s1gr1d commented Nov 25, 2025 • edited by github-actions bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment was marked as outdated.

Uh oh!

github-actions bot commented Nov 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

size-limit report 📦

Uh oh!

github-actions bot commented Nov 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

node-overhead report 🧳

Uh oh!

Uh oh!

Uh oh!

Lms24 left a comment

Choose a reason for hiding this comment

Uh oh!

Lms24 Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

Lms24 Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

s1gr1d Dec 9, 2025

Choose a reason for hiding this comment

Uh oh!

Lms24 Nov 26, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

This comment was marked as outdated.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

s1gr1d commented Nov 25, 2025 •

edited by github-actions bot

Loading

github-actions bot commented Nov 25, 2025 •

edited

Loading

github-actions bot commented Nov 25, 2025 •

edited

Loading