ref: Expand scrubbing (#6161)

sentrivana · claude · web-flow · commit ebe6f2aa6b4f · 2026-04-29T11:19:21.000+02:00
Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/sentry_sdk/integrations/_wsgi_common.py b/sentry_sdk/integrations/_wsgi_common.py
@@ -31,6 +31,7 @@
     "HTTP_SET_COOKIE",
     "HTTP_COOKIE",
     "HTTP_AUTHORIZATION",
+    "HTTP_PROXY_AUTHORIZATION",
     "HTTP_X_API_KEY",
     "HTTP_X_FORWARDED_FOR",
     "HTTP_X_REAL_IP",
diff --git a/sentry_sdk/scrubber.py b/sentry_sdk/scrubber.py
@@ -34,6 +34,7 @@
     "set_cookie",
     "cookie",
     "authorization",
+    "proxy-authorization",
     "x_api_key",
     # other common names used in the wild
     "aiohttp_session",  # aiohttp
diff --git a/tests/integrations/fastapi/test_fastapi.py b/tests/integrations/fastapi/test_fastapi.py
@@ -403,6 +403,7 @@ async def test_original_request_not_scrubbed(
     async def _error(request: Request):
         logging.critical("Oh no!")
         assert request.headers["Authorization"] == "Bearer ohno"
+        assert request.headers["Proxy-Authorization"] == "Basic ohno"
         assert await request.json() == {"password": "secret"}
 
         return {"error": "Oh no!"}
@@ -411,12 +412,18 @@ async def _error(request: Request):
 
     client = TestClient(app)
     client.post(
-        "/error", json={"password": "secret"}, headers={"Authorization": "Bearer ohno"}
+        "/error",
+        json={"password": "secret"},
+        headers={
+            "Authorization": "Bearer ohno",
+            "Proxy-Authorization": "Basic ohno",
+        },
     )
 
     event = events[0]
     assert event["request"]["data"] == {"password": "[Filtered]"}
     assert event["request"]["headers"]["authorization"] == "[Filtered]"
+    assert event["request"]["headers"]["proxy-authorization"] == "[Filtered]"
 
 
 def test_response_status_code_ok_in_transaction_context(sentry_init, capture_envelopes):
diff --git a/tests/integrations/flask/test_flask.py b/tests/integrations/flask/test_flask.py
@@ -903,19 +903,26 @@ def index():
         logging.critical("oops")
         assert request.get_json() == {"password": "ohno"}
         assert request.headers["Authorization"] == "Bearer ohno"
+        assert request.headers["Proxy-Authorization"] == "Basic ohno"
         return "ok"
 
     events = capture_events()
 
     client = app.test_client()
     client.post(
-        "/", json={"password": "ohno"}, headers={"Authorization": "Bearer ohno"}
+        "/",
+        json={"password": "ohno"},
+        headers={
+            "Authorization": "Bearer ohno",
+            "Proxy-Authorization": "Basic ohno",
+        },
     )
 
     (event,) = events
 
     assert event["request"]["data"]["password"] == "[Filtered]"
     assert event["request"]["headers"]["Authorization"] == "[Filtered]"
+    assert event["request"]["headers"]["Proxy-Authorization"] == "[Filtered]"
 
 
 def test_response_status_code_ok_in_transaction_context(
diff --git a/tests/integrations/starlette/test_starlette.py b/tests/integrations/starlette/test_starlette.py
@@ -1193,6 +1193,7 @@ def test_original_request_not_scrubbed(sentry_init, capture_events):
     async def _error(request):
         logging.critical("Oh no!")
         assert request.headers["Authorization"] == "Bearer ohno"
+        assert request.headers["Proxy-Authorization"] == "Basic ohno"
         assert await request.json() == {"password": "ohno"}
         return starlette.responses.JSONResponse({"status": "Oh no!"})
 
@@ -1206,12 +1207,16 @@ async def _error(request):
     client.post(
         "/error",
         json={"password": "ohno"},
-        headers={"Authorization": "Bearer ohno"},
+        headers={
+            "Authorization": "Bearer ohno",
+            "Proxy-Authorization": "Basic ohno",
+        },
     )
 
     event = events[0]
     assert event["request"]["data"] == {"password": "[Filtered]"}
     assert event["request"]["headers"]["authorization"] == "[Filtered]"
+    assert event["request"]["headers"]["proxy-authorization"] == "[Filtered]"
 
 
 @pytest.mark.skipif(STARLETTE_VERSION < (0, 24), reason="Requires Starlette >= 0.24")
