admin: redact sensitive request headers in API logs

[aleister1102]

Issue Details

The admin API handler logs request headers using zap.Reflect("headers", r.Header) in adminHandler.ServeHTTP (admin.go:803), which serializes the raw header map without any redaction.

The rest of the codebase uses LoggableHTTPHeader for header logging, which redacts Cookie, Set-Cookie, Authorization, and Proxy-Authorization unless ShouldLogCredentials is explicitly enabled (added in #5669). The admin handler is the only logging path that bypasses this.

Fix: Replace the zap.Reflect call with zap.Object("headers", LoggableHTTPHeader{Header: r.Header}) to be consistent with every other logging site in the codebase.

This matters in deployments where the admin API is accessed through a proxy that injects auth headers, or where admin logs are shipped to a centralized logging system.

Assistance Disclosure

AI used

If AI was used, describe the extent to which it was used.

Claude help me write the issue body but the finding is mine.

[mholt]

Since we don't even use or set those headers, maybe the auth system should remove anything it doesn't want logged? Why isn't it stripping Authorization after authorizing?

[steadytao]

@mholt I think the logging site is the better place to fix it. It is not just Authorization; Cookie and Proxy-Authorization have the same issue, and Caddy already has LoggableHTTPHeader for exactly this. Using that here would keep admin logging consistent with the rest of the codebase