Athena CIAM Security Flaw: High-Frequency API Key Exposure in Request Logs

A critical security vulnerability within the Athena CIAM (Customer Identity and Access Management) system is exposing a core reload API key in plaintext across its logs. The flaw is triggered every time Athena calls the internal reload endpoint, causing the sensitive `X-Reload-Api-Key` header—containing the `CIAM_RELOAD_API_KEY` value—to be written directly into standard HTTP request logs. This creates a high-frequency, automated pattern of secret exposure, as the logging middleware in frameworks like Express, Hono, or Bun's built-in logger records all request headers by default.

The exposure occurs when Athena's service performs a `POST` request to `/internal/kratos/reload` on its SIGHUP sidecar, a routine action following a social connection configuration update. Without explicit filtering, every log entry for this reload call captures the full, unredacted API key. This vulnerability affects both the outgoing request logs from Athena and any internal middleware that echoes request context, posing a direct risk to the integrity of the CIAM reload mechanism.

This pattern represents a systemic security failure in logging hygiene. The absence of header redaction transforms routine operational logs into a persistent leak of a critical authentication secret. The requirement is clear: the HTTP request logging middleware must be immediately reconfigured to filter and redact the `X-Reload-Api-Key` header, replacing its value with a static placeholder before any data is written to stdout, files, or external log aggregators. Failure to implement this fix leaves the reload API key continuously exposed to anyone with access to these logs.