Grafana cloud synthetics test - http-debug is true by default and dashboard logs by default may show sensitive auth header data

michaelodriscoll · November 23, 2025, 6:33am

By default it appears that standard http calls such as the simple example below log the Authorization header and are visible in the logs section of the dashboard.
The logs include source=http-debug.

This appears to be the default behaviour.

Is there any way of turning off http debugging specifically in the synthetic monitor scripts.

Using

export const options =  {

  httpDebug: ‘none’

}

does not work. The documentation implies httpDebug:’full’ is not the default however it does appear to me to be.in the context of synthetics.

Note - I appreciate in the example below you could use k6/secrets - however that does not resolve the problem as in subsequent calls the auth token generated also appears in the logs.for subsequent requests.

Thanks

const authTokenResponse = http.post(ctp_auth_url, `grant_type=client_credentials&scope=${ctp_scopes}`, {

    headers: {

      'Content-Type': 'application/x-www-form-urlencoded',

      'Authorization': `Basic ${encoding.b64encode(`${ctp_client_id}:${ctp_client_secret}`)}`,

    },

  });

(subsequent request - can’t use k6/secrets - authorization header appears in logs)

const req = http.get(url,{

    headers: { 

      'Content-Type': 'application/json',

      'Authorization': `Bearer ${access_token}`,

    }

  })

peterschretlen1 · November 24, 2025, 8:52pm

Hi @michaelodriscoll , thanks for flagging this. We’ve received similar reports from others and have a a voice-of-customer issue open for it. I don’t have an ETA on a fix, but we are looking at

making the `httpDebug` option configurable in the scripts (it is currently hardcoded to httpdebug=”headers”)
updating the secrets module to allow masking values that are not stored as secrets (similar to how github actions allows values to be masked)

It’s possible to workaround the issue with a private probe, where you can set the K6_HTTP_DEBUG environment variable, which overrides the hardcoded CLI flag in the probe agent. For example with docker:

docker run -e K6_HTTP_DEBUG='' grafana/synthetic-monitoring-agent --api-server-address=${API_SERVER} --api-token=${API_TOKEN} --verbose=true

michaelodriscoll · November 25, 2025, 7:22am

Many thanks @peterschretlen1 for confirming current behavour and potential private probe option, we’ll look into that. cheers.

Topic		Replies	Views
How to prevent logging Authorization header when using http-debug? OSS Support	1	597	November 20, 2020
Debug log in readable format Grafana k6	10	1211	August 10, 2021
Print --http-debug logs into file & print all api responses in a file OSS Support	3	4138	October 8, 2020
Using Grafana's API though kubernetes proxy Grafana	1	749	September 3, 2019
Debug full log to a file OSS Support	1	1872	February 18, 2022

Grafana cloud synthetics test - http-debug is true by default and dashboard logs by default may show sensitive auth header data

Related topics