The Fix
Upgrade to version 0.13.1 or later.
Based on closed Kludex/uvicorn issue #551 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -460,7 +460,6 @@ async def send(self, message):
self.scope["http_version"],
status_code,
- extra={"status_code": status_code, "scope": self.scope},
)
repro.py
{
"message": "255.255.255.255:37326 - \"POST /api/v1/count HTTP/1.1\" 200",
"timestamp": "2020-01-13T12:33:44.384008",
"levelno": 20,
"levelname": "INFO",
"name": "uvicorn.access",
"status_code": 200,
"scope": {
"type": "http",
"http_version": "1.1",
"server": ["0.0.0.0", 8080],
"client": ["255.255.255.255", 37326],
"scheme": "http",
"method": "POST",
"root_path": "",
"path": "/api/v1/count",
"raw_path": "b'/api/v1/count'",
"query_string": "b''",
"headers": [["b'host'", "b'lb.api.production.company.io:54776'"], ["b'sentry-trace'", "b'00-27422174e7f14c9aac3572a42d34006f-8f059e2531e39fb5-00'"], ["b'user-agent'", "b'test (version 2019.12.1)'"], ["b'accept-encoding'", "b'gzip, deflate'"], ["b'accept'", "b'*/*'"], ["b'content-type'", "b'application/json'"], ["b'authorization'", "b'Bearer fake-bearer-token'"], ["b'content-length'", "b'137'"], ["b'x-forwarded-port'", "b'54776'"], ["b'x-forwarded-for'", "b'255.255.255.255'"], ["b'connection'", "b'close'"]],
"fastapi_astack": "<contextlib.AsyncExitStack object at 0x7f62ec631090>",
"app": "<fastapi.applications.FastAPI object at 0x7f62eeda7710>",
"state": {
},
"router": "<fastapi.routing.APIRouter object at 0x7f62eeda7bd0>",
"endpoint": "<function count at 0x7f62ee6bc560>",
"path_params": {}
}
}
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\nUpgrade to version 0.13.1 or later.\nWhen NOT to use: Do not use this fix if you require logging of all headers for debugging purposes.\n\n
Why This Fix Works in Production
- Trigger: I would really caution against doing logging like Gunicorn does it, I'm quite happy with the way uvicorn handles it, with the exception of not being able to…
- Mechanism: The logging formatter included sensitive headers in access logs, risking exposure of API keys
- Why the fix works: Removes the scope from access logs when using a JSON logging formatter to prevent sensitive headers from being leaked. (first fixed release: 0.13.1).
Production impact:
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- The logging formatter included sensitive headers in access logs, risking exposure of API keys
- Production symptom (often without a traceback): I would really caution against doing logging like Gunicorn does it, I'm quite happy with the way uvicorn handles it, with the exception of not being able to define headers that should be excluded.
Proof / Evidence
- GitHub issue: #551
- Fix PR: https://github.com/encode/uvicorn/pull/859
- First fixed release: 0.13.1
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.85
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.42
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“I think this is fixed in https://github.com/encode/uvicorn/pull/859”
“The sensible place to start here would be to look at other Python web servers and determine what header filtering they put in place”
“@tomchristie Gunicorn defines the fields that it logs as follows: Identifier | Description -- | -- h | remote address l | '-' u |…”
Failure Signature (Search String)
- I would really caution against doing logging like Gunicorn does it, I'm quite happy with the way uvicorn handles it, with the exception of not being able to define headers that
Copy-friendly signature
signature.txt
Failure Signature
-----------------
I would really caution against doing logging like Gunicorn does it, I'm quite happy with the way uvicorn handles it, with the exception of not being able to define headers that should be excluded.
Error Message
Signature-only (no traceback captured)
error.txt
Error Message
-------------
I would really caution against doing logging like Gunicorn does it, I'm quite happy with the way uvicorn handles it, with the exception of not being able to define headers that should be excluded.
Minimal Reproduction
repro.py
{
"message": "255.255.255.255:37326 - \"POST /api/v1/count HTTP/1.1\" 200",
"timestamp": "2020-01-13T12:33:44.384008",
"levelno": 20,
"levelname": "INFO",
"name": "uvicorn.access",
"status_code": 200,
"scope": {
"type": "http",
"http_version": "1.1",
"server": ["0.0.0.0", 8080],
"client": ["255.255.255.255", 37326],
"scheme": "http",
"method": "POST",
"root_path": "",
"path": "/api/v1/count",
"raw_path": "b'/api/v1/count'",
"query_string": "b''",
"headers": [["b'host'", "b'lb.api.production.company.io:54776'"], ["b'sentry-trace'", "b'00-27422174e7f14c9aac3572a42d34006f-8f059e2531e39fb5-00'"], ["b'user-agent'", "b'test (version 2019.12.1)'"], ["b'accept-encoding'", "b'gzip, deflate'"], ["b'accept'", "b'*/*'"], ["b'content-type'", "b'application/json'"], ["b'authorization'", "b'Bearer fake-bearer-token'"], ["b'content-length'", "b'137'"], ["b'x-forwarded-port'", "b'54776'"], ["b'x-forwarded-for'", "b'255.255.255.255'"], ["b'connection'", "b'close'"]],
"fastapi_astack": "<contextlib.AsyncExitStack object at 0x7f62ec631090>",
"app": "<fastapi.applications.FastAPI object at 0x7f62eeda7710>",
"state": {
},
"router": "<fastapi.routing.APIRouter object at 0x7f62eeda7bd0>",
"endpoint": "<function count at 0x7f62ee6bc560>",
"path_params": {}
}
}
What Broke
Sensitive information like API keys was logged, leading to potential security risks.
Why It Broke
The logging formatter included sensitive headers in access logs, risking exposure of API keys
Fix Options (Details)
Option A — Upgrade to fixed release Safe default (recommended)
Upgrade to version 0.13.1 or later.
When NOT to use: Do not use this fix if you require logging of all headers for debugging purposes.
Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.
Fix reference: https://github.com/encode/uvicorn/pull/859
First fixed release: 0.13.1
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if you require logging of all headers for debugging purposes.
Verify Fix
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
- Pin production dependencies and upgrade only with a reproducible test that hits the failing path.
Version Compatibility Table
| Version | Status |
|---|---|
| 0.13.1 | Fixed |
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.