fix: redact all headers from logs

Fixes https://emqx.atlassian.net/browse/EMQX-11904

Since headers are usually used for authentication and the headers used for that are very
flexible, we redact all headers from logs to avoid leaking anything.

apps/emqx_audit/test/emqx_audit_api_SUITE.erl

@@ -88,7 +88,7 @@ t_http_api(_) ->
                         <<"method">> := <<"put">>,
                         <<"body">> := #{<<"mqtt">> := #{<<"max_qos_allowed">> := 1}},
                         <<"bindings">> := _,
-                        <<"headers">> := #{<<"authorization">> := <<"******">>}
+                        <<"headers">> := "******"
                     },
                     <<"http_status_code">> := 200,
                     <<"operation_result">> := <<"success">>,

apps/emqx_utils/src/emqx_utils.app.src

@@ -2,7 +2,7 @@
 {application, emqx_utils, [
     {description, "Miscellaneous utilities for EMQX apps"},
     % strict semver, bump manually!
-    {vsn, "5.0.15"},
+    {vsn, "5.0.16"},
     {modules, [
         emqx_utils,
         emqx_utils_api,

apps/emqx_utils/src/emqx_utils.erl

@@ -717,6 +717,9 @@ is_sensitive_key(<<"jwt">>) -> true;
 is_sensitive_key(authorization) -> true;
 is_sensitive_key("authorization") -> true;
 is_sensitive_key(<<"authorization">>) -> true;
+is_sensitive_key(headers) -> true;
+is_sensitive_key("headers") -> true;
+is_sensitive_key(<<"headers">>) -> true;
 is_sensitive_key(bind_password) -> true;
 is_sensitive_key("bind_password") -> true;
 is_sensitive_key(<<"bind_password">>) -> true;
@@ -879,6 +882,7 @@ redact_test_() ->
         secret_key,
         secret_access_key,
         security_token,
+        headers,
         token,
         bind_password
     ],