`%REQ_ALL_HEADERS%` / `%RESP_ALL_HEADERS%` access log format operators

[willianpaixao]

Title

formatter: add REQ_ALL_HEADERS / RESP_ALL_HEADERS operators to serialize all HTTP headers

Description

Problem

Envoy's access log formatting currently requires each HTTP header to be individually named via %REQ(header-name)% / %RESP(header-name)%. This means operators must know in advance which headers are relevant and update their access log configuration every time a new header becomes interesting.

This creates two real-world pain points:

1. Security observability gaps. Unexpected or malicious headers (e.g. spring.cloud.function.routing-expression exploited during Log4Shell, or novel exfiltration headers) are silently dropped from logs because they were never enumerated in configuration. Threat detection pipelines cannot flag what they cannot see.

2. Operational overhead. Adding a single header to access logs requires a config change, validation, and a rolling redeploy across the fleet. For large deployments this is a meaningful operational cost just to start logging a header that was already on the wire.

Proposed solution

Add two new access log command operators:

• %REQ_ALL_HEADERS% -- serializes all HTTP request headers as a JSON object
• %RESP_ALL_HEADERS% -- same for response headers

When used with json_format, the output is a nested JSON object (not a flat string), allowing downstream log consumers (SIEM, Elasticsearch, etc.) to query individual headers without additional deserialization.

Design choices

Decision	Rationale
Ship as an extension formatter (envoy.formatter.all_headers), not a core operator	Opt-in, requires explicit configuration. Directly addresses security concern about accidentally logging sensitive data. Follows the req_without_query precedent.
exclude_headers config field (repeated string, case-insensitive)	Operators control what is redacted. Documentation recommends excluding authorization, cookie, set-cookie.
max_value_bytes config field (uint32, 0 = unlimited)	Bounds per-value log size, preventing multi-MB log lines from large header values.
Comma-join for repeated headers	RFC 7230 compliant. Simpler than emitting arrays. set-cookie caveat documented.
Include pseudo-headers (:method, :path, :authority, :status)	They are naturally present in the HeaderMap and useful for observability.
Return Protobuf::Struct from formatValue()	Produces a nested JSON object in json_format logs, same pattern as DYNAMIC_METADATA.

Example configuration

access_log:
  - name: envoy.access_loggers.file
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
      path: /dev/stdout
      log_format:
        json_format:
          timestamp: "%START_TIME%"
          status: "%RESPONSE_CODE%"
          request_headers: "%REQ_ALL_HEADERS%"
          response_headers: "%RESP_ALL_HEADERS%"
        formatters:
          - name: envoy.formatter.all_headers
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.formatter.all_headers.v3.AllHeaders
              max_value_bytes: 256
              exclude_headers:
                - authorization
                - cookie
                - set-cookie

Example output (JSON format)

{
  "timestamp": "2026-05-25T12:00:00.000Z",
  "status": 200,
  "request_headers": {
    ":method": "GET",
    ":path": "/api/v1/resource",
    ":authority": "example.com",
    "user-agent": "curl/8.0",
    "x-request-id": "abc-123",
    "accept": "text/html,application/json"
  },
  "response_headers": {
    ":status": "200",
    "content-type": "application/json",
    "x-envoy-upstream-service-time": "12"
  }
}

Related issues

Directly related:

• Option to log all request and response headers on the access log #40584 -- "Option to log all request and response headers on the access log" (closed as stale). The original feature request. Maintainer @phlax noted it would need "configurable obfuscation."
• Support multiple header values in access log, header formatting, tracing, and rate limiting #13454 -- "Support multiple header values in access log, header formatting, tracing, and rate limiting" (open, help wanted). Tracks multi-value header support; comment from @ramaraochavali proposes REQUEST_HEADER(*) notation. There is a TODO in req_without_query.cc:62 referencing this.
• Multi-value header matching API #13751 -- "Multi-value header matching API" (open). Follow-up from Support multiple header values in access log, header formatting, tracing, and rate limiting #13454 for ergonomic matching on multi-valued headers.

Header redaction / obfuscation (key maintainer concern):

• Prevent sensitive request headers from being logged in debug level #9652 -- "Prevent sensitive request headers from being logged in debug level" (open, design proposal). Feature request for redacting authorization, cookie from debug logs.
• PR debug: redact sensitive info from debug logs #27579 -- "debug: redact sensitive info from debug logs" (closed, not merged). Attempted debug-log redaction. Referenced by Option to log all request and response headers on the access log #40584 discussion. Shows maintainer caution around header logging.

Performance considerations

HeaderMap::iterate() is O(n headers) and involves string copies into a protobuf struct. This is non-trivial on high-throughput paths. Recommended mitigations:

• Pair this operator with an access log filter (e.g. sample-based, or only when %RESPONSE_FLAGS% != -) rather than using it on every request.
• Use max_value_bytes to bound per-value size.
• The extension-formatter approach makes this fully opt-in.

[nezdolik]

cc @wbpcode

[wbpcode]

cc @ramaraochavali I am fine to that if Rama also good to this. I guess @ramaraochavali also have some thoughts at that.

[ramaraochavali]

I am fine with this as well

[willianpaixao]

Awesome, I'll draft a PR.