Should "sensitive" header types set HeaderValue::is_sensitive?

[seanmonstar]

There is an attribute of HeaderValue that marks it as "sensitive". This currently has 2 effects:

• In HTTP2, the HPACK never-indexed-literals flag is set. This keeps the value from being stored in the dynamic HPACK table.
• Alters the Debug output to simply write the word "Sensitive" instead of the actual bytes, which can help with accidental storage of secrets or PII.

Should these potentially sensitive headers set this flag when encoding to a HeaderValue?

• Authorization
• Cookie
• Set-Cookie
• Others?

[carllerche]

Perhaps all header types should have a sensitive flag and some set them by default?

[shikhar]

+1 on preventing accidental exposure of secrets in Debug output. I converted over from using a HeaderValue explicitly marked sensitive to the Authorization typed header and had expected that would continue to be the case.