Hi!

Request/response headers are currently being logged without any sanitizing being done upfront, which means that bearer tokens are logged. There are many scenarios in which we'd like to use DEBUG level, but still not log access tokens. Can we either redact the Authorization headers when logging, or add an option to disable logging of headers altogether.

I put up this suggested PR:
#532