Sometimes authentication information is sent over HTTP through cookies, but when using GIT_TRACE_CURL, that information appears in logs. There are some HTTP headers already redacted ("Authorization:" and "Proxy-Authorization:") - the first patch extends such redaction to a user-specified list. I've also included another patch to allow omission of data transmission information from being logged when using GIT_TRACE_CURL. This reduces the information logged to that similar to GIT_CURL_VERBOSE. (As for why not use GIT_CURL_VERBOSE instead - that is because GIT_CURL_VERBOSE does not perform any redaction, merely using Curl's default logging mechanism.) The patches are ready for merging, but I marked this as "RFC" just in case there is a better way to accomplish this. Jonathan Tan (2): http: support cookie redaction when tracing http: support omitting data from traces http.c | 82 ++++++++++++++++++++++++++++++++++++++++----- t/t5551-http-fetch-smart.sh | 24 +++++++++++++ 2 files changed, 98 insertions(+), 8 deletions(-) -- 2.16.0.rc1.238.g530d649a79-goog