Query bodies can contain sensitive information. Treat QUERY request bodies with the same care as POST bodies.

querygate does not log request bodies. Sensitive headers are redacted from logs even at debug level: Authorization, Cookie, Set-Cookie, X-API-Key, and Proxy-Authorization.

Authenticated requests and requests with cookies are not cached unless the upstream response explicitly uses Cache-Control: public. Responses with Set-Cookie are not cached.

Cache-Control: no-store, private, and no-cache response directives are respected. Vary: * is not cached, and responses that vary on unsupported headers are not cached.

Run querygate behind TLS termination. v1 intentionally does not terminate TLS or manage certificates.