winhowes · winhowes · May 8, 2026 · May 8, 2026
diff --git a/app/auth/plugins/envoy_xfcc/envoy_xfcc_test.go b/app/auth/plugins/envoy_xfcc/envoy_xfcc_test.go
@@ -49,7 +49,7 @@ func TestEnvoyXFCCDisallowedURIFails(t *testing.T) {
 	}
 }
 
-func TestEnvoyXFCCAuthenticateFailureLogsHeaders(t *testing.T) {
+func TestEnvoyXFCCAuthenticateFailureLogsConfiguredHeaderOnly(t *testing.T) {
 	var buf bytes.Buffer
 	oldLogger := authplugins.SetLogger(slog.New(slog.NewJSONHandler(&buf, &slog.HandlerOptions{Level: slog.LevelDebug})))
 	t.Cleanup(func() { authplugins.SetLogger(oldLogger) })
@@ -76,13 +76,16 @@ func TestEnvoyXFCCAuthenticateFailureLogsHeaders(t *testing.T) {
 		"X-Forwarded-Client-Cert",
 		"spiffe://denied",
 		"spiffe://also-denied",
-		"X-Debug-Header",
-		"debug-value",
 	} {
 		if !strings.Contains(got, want) {
 			t.Fatalf("expected log to contain %q; got %s", want, got)
 		}
 	}
+	for _, notWant := range []string{"X-Debug-Header", "debug-value"} {
+		if strings.Contains(got, notWant) {
+			t.Fatalf("expected log to omit %q; got %s", notWant, got)
+		}
+	}
 }
 
 func TestEnvoyXFCCAuthenticateSuccessDoesNotLogHeaders(t *testing.T) {

diff --git a/app/auth/plugins/envoy_xfcc/incoming.go b/app/auth/plugins/envoy_xfcc/incoming.go
@@ -73,16 +73,17 @@ func (e *EnvoyXFCCAuth) StripAuth(r *http.Request, p interface{}) {
 }
 
 func logAuthFailure(ctx context.Context, r *http.Request, header, reason string) {
-	headers := http.Header{}
-	if r != nil {
-		headers = r.Header.Clone()
-	}
 	attrs := []any{
 		"reason", reason,
-		"headers", headers,
 	}
 	if header != "" {
-		attrs = append(attrs, "configured_header", header)
+		headers := http.Header{}
+		if r != nil {
+			if values := r.Header.Values(header); len(values) > 0 {
+				headers[http.CanonicalHeaderKey(header)] = append([]string(nil), values...)
+			}
+		}
+		attrs = append(attrs, "configured_header", header, "headers", headers)
 	}
 	authplugins.Logger().WarnContext(ctx, "envoy_xfcc authentication failed", attrs...)
 }