iRule Approach to Mask Authorization Header for Bot Defense Logging – Validation Needed

I am working on masking sensitive information (specifically the Authorization header) from being exposed in Bot Defense logs on F5 BIG-IP Bot Defense, as there is currently no native feature available to mask the BOT request.

To address this, I have implemented the following iRule:

when HTTP_REQUEST {

# Unique ID per request (handles keep-alive correctly)

set req_id [HTTP::request_num]

if {[HTTP::header exists "Authorization"]} {

# Save original header for later restore

set auth($req_id) [HTTP::header value "Authorization"]

# Mask BEFORE Bot Defense inspects/logs

HTTP::header replace "Authorization" "Bearer *******************************************************************************"

}

}

when HTTP_REQUEST_RELEASE {

# This runs AFTER Bot Defense logging but BEFORE server send

set req_id [HTTP::request_num]

if {[info exists auth($req_id)]} {

# Restore original header for the application

HTTP::header replace "Authorization" $auth($req_id)

# Clean up memory

unset auth($req_id)

}

}

Is this iRule approach valid and reliable? Any suggestions for improvement or enhancement would be greatly appreciated.