docs: log_credentials global option

src/docs/markdown/caddyfile/directives/log.md

@@ -35,6 +35,8 @@ The `log` directive applies to the host/port of the site block it appears in, no
 	- [hash](#hash)
 - [Examples](#examples)
 
+Since Caddy v2.5, by default, headers with potentially sensitive information (`Cookie`, `Set-Cookie`, `Authorization` and `Proxy-Authorization`) will be logged with empty values. This behaviour can be disabled with the [`log_credentials`](/docs/caddyfile/options#log-credentials) global server option.
+
 
 ## Syntax
 

src/docs/markdown/caddyfile/options.md

@@ -98,6 +98,7 @@ Possible options are:
 			idle        <duration>
 		}
 		max_header_size <size>
+		log_credentials
 		protocol {
 			allow_h2c
 			experimental_http3
@@ -309,6 +310,13 @@ listener_wrappers {
 The maximum size to parse from a client's HTTP request headers. It accepts all formats supported by [go-humanize](https://github.com/dustin/go-humanize/blob/master/bytes.go).
 
 
+##### `log_credentials`
+
+Since Caddy v2.5, by default, headers with potentially sensitive information (`Cookie`, `Set-Cookie`, `Authorization` and `Proxy-Authorization`) will be logged with empty values in access logs (see the [`log` directive](/docs/caddyfile/directives/log)).
+
+If you wish to _not_ have these headers redacted, you may enable the `log_credentials` option.
+
+
 ##### `protocol`
 
 - **allow_h2c** enables H2C ("Cleartext HTTP/2" or "H2 over TCP") support, which will serve HTTP/2 over plaintext TCP connections if a client support it. Because this is not implemented by the Go standard library, using H2C is incompatible with most of the other options for this server. Do not enable this only to achieve maximum client compatibility. In practice, very few clients implement H2C, and even fewer require it. This setting applies only to unencrypted HTTP listeners. ⚠️ Experimental feature; subject to change or removal.