Skip to content

feat(bun): Set http response header attributes instead of response context headers#19821

Merged
Lms24 merged 3 commits intodevelopfrom
lms/feat-bun-http-response-headers
Mar 17, 2026
Merged

feat(bun): Set http response header attributes instead of response context headers#19821
Lms24 merged 3 commits intodevelopfrom
lms/feat-bun-http-response-headers

Conversation

@Lms24
Copy link
Member

@Lms24 Lms24 commented Mar 16, 2026
edited
Loading

This PR addresses the issue reported in #19790 where our Bun serve instrumentation blindly attached all HTTP response headers to request contexts. This was problematic as explained in the issue since sensitive headers could have been sent.

This PR ensures we no longer do this, while retaining safe response header:

  • Adjusted httpHeadersToSpanAttributes helper from core to also generate http.response headers if an optional lifecycle parameter is added to the call
  • Removed setting contexts.response.headers: We never do this. In Node, we only set the response status on this context.
  • Instead, we now send response headers as span attributes on the http.server span. By leveraging httpHeadersToSpanAttributes we now have the same sensitive data mechanisms in place as with request headers which we already send this way. Meaning, a bunch of authorization headers are filtered always, and cookie/set-cookie headers are filtered depending on sendDefaultPii.

Note: This can be considered a subtle behaviour break but given the incorrectness of always setting response headers unconditionally before, I think this is justified. Contexts are not indexed, hence alerts can't be built on top of them and neither saved discover or explore queries. I'm also not aware of Relay promoting respnose.header.* values to tags, so we should be safe here.

Closes #19790

@Lms24 Lms24 mentioned this pull request Mar 16, 2026
Merged
@Lms24 Lms24 self-assigned this Mar 16, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 16, 2026
edited
Loading

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.64 kB - -
@sentry/browser - with treeshaking flags 24.14 kB - -
@sentry/browser (incl. Tracing) 42.62 kB - -
@sentry/browser (incl. Tracing, Profiling) 47.28 kB - -
@sentry/browser (incl. Tracing, Replay) 81.42 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 71 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 86.12 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 98.37 kB - -
@sentry/browser (incl. Feedback) 42.45 kB - -
@sentry/browser (incl. sendFeedback) 30.31 kB - -
@sentry/browser (incl. FeedbackAsync) 35.36 kB - -
@sentry/browser (incl. Metrics) 26.92 kB - -
@sentry/browser (incl. Logs) 27.07 kB - -
@sentry/browser (incl. Metrics & Logs) 27.74 kB - -
@sentry/react 27.39 kB - -
@sentry/react (incl. Tracing) 44.95 kB - -
@sentry/vue 30.08 kB - -
@sentry/vue (incl. Tracing) 44.48 kB - -
@sentry/svelte 25.66 kB - -
CDN Bundle 28.28 kB +0.04% +11 B 🔺
CDN Bundle (incl. Tracing) 43.51 kB +0.03% +10 B 🔺
CDN Bundle (incl. Logs, Metrics) 29.14 kB +0.05% +12 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) 44.36 kB +0.03% +11 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) 68.21 kB +0.02% +12 B 🔺
CDN Bundle (incl. Tracing, Replay) 80.33 kB +0.02% +13 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 81.23 kB +0.02% +13 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) 85.87 kB +0.02% +12 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.77 kB +0.02% +12 B 🔺
CDN Bundle - uncompressed 82.62 kB +0.08% +59 B 🔺
CDN Bundle (incl. Tracing) - uncompressed 128.56 kB +0.05% +59 B 🔺
CDN Bundle (incl. Logs, Metrics) - uncompressed 85.49 kB +0.07% +59 B 🔺
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 131.43 kB +0.05% +59 B 🔺
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 209.12 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay) - uncompressed 245.41 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 248.26 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 258.32 kB +0.03% +59 B 🔺
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 261.17 kB +0.03% +59 B 🔺
@sentry/nextjs (client) 47.37 kB - -
@sentry/sveltekit (client) 43.07 kB - -
@sentry/node-core 56.35 kB +0.05% +28 B 🔺
@sentry/node 173.17 kB -0.02% -18 B 🔽
@sentry/node - without tracing 96.35 kB +0.01% +5 B 🔺
@sentry/aws-serverless 113.35 kB +0.01% +11 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Mar 16, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 8,861 - 9,352 -5%
GET With Sentry 1,727 19% 1,699 +2%
GET With Sentry (error only) 6,087 69% 6,181 -2%
POST Baseline 1,189 - 1,205 -1%
POST With Sentry 598 50% 595 +1%
POST With Sentry (error only) 1,041 88% 1,073 -3%
MYSQL Baseline 3,260 - 3,307 -1%
MYSQL With Sentry 451 14% 451 -
MYSQL With Sentry (error only) 2,629 81% 2,688 -2%

View base workflow run

@Lms24 Lms24 marked this pull request as ready for review March 16, 2026 14:24
@Lms24 Lms24 mentioned this pull request Mar 16, 2026
Closed
@Lms24 Lms24 requested review from isaacs and s1gr1d March 16, 2026 14:45
Lms24
Lms24 commented Mar 16, 2026
View reviewed changes
packages/core/src/utils/request.ts
Comment on lines +232 to 238
if (headerValue == null) {
return;
}

const normalizedKey = `http.${lifecycle}.header.${normalizeAttributeKey(headerKey)}${cookieKey ? `.${normalizeAttributeKey(cookieKey)}` : ''}`;
spanAttributes[normalizedKey] = headerValue;
}
Copy link
Member Author

@Lms24 Lms24 Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are just minimal optimizations for performance/bundle size but I don't think they fully paid off. Main reasoning: If we do nothing on headerValue === undefined we can also early return and save the little time it takes to compute the header key. Happy to revert if reviewers prefer the old version.

s1gr1d
s1gr1d approved these changes Mar 17, 2026
View reviewed changes
Lms24
Lms24 commented Mar 17, 2026
View reviewed changes
@Lms24 Lms24 enabled auto-merge (squash) March 17, 2026 12:17
@Lms24 Lms24 merged commit 244db35 into develop Mar 17, 2026
450 of 452 checks passed
@Lms24 Lms24 deleted the lms/feat-bun-http-response-headers branch March 17, 2026 12:47
Lms24 added a commit that referenced this pull request Mar 17, 2026
@Lms24
feat(deno): Set http response header attributes instead of response c…
e2ee8ba 
…ontext headers (#19822)

same as #19821 but for deno server instrumentation. To be merged after
#19821

ref #19790
@github-actions github-actions bot mentioned this pull request Mar 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@s1gr1d s1gr1d s1gr1d approved these changes

@isaacs isaacs Awaiting requested review from isaacs

Assignees

@Lms24 Lms24

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Bug Report - Bun response headers leaked via transaction context (Set-Cookie exfiltration)

2 participants

@Lms24 @s1gr1d