fix: non-breaking security improvements

src/main/java/com/checkout/ApacheHttpClientTransport.java

@@ -363,6 +363,10 @@
     }
 
     private Header[] sanitiseHeaders(final Header[] headers) {
+        // TODO: discuss whether Cko-Idempotency-Key should also be filtered — it is a per-request
+        //  unique identifier (not a credential), but filtering it reduces exposure in INFO logs.
+        //  Uncomment the line below once agreed.
+        // .filter(it -> !it.getName().equalsIgnoreCase(CKO_IDEMPOTENCY_KEY))
         return Arrays.stream(headers)
                 .filter(it -> !it.getName().equals(AUTHORIZATION))
                 .toArray(Header[]::new);

src/main/java/com/checkout/CheckoutApiException.java

@@ -7,7 +7,7 @@
 import java.util.Map;
 
 @Getter
-@ToString
+@ToString(exclude = "responseHeaders")
 public final class CheckoutApiException extends CheckoutException {
 
     private final Integer httpStatusCode;

src/main/java/com/checkout/GsonSerializer.java

@@ -43,6 +43,7 @@
 import com.google.gson.reflect.TypeToken;
 import com.google.gson.typeadapters.RuntimeTypeAdapterFactory;
 import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.EnumUtils;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.entity.UrlEncodedFormEntity;
@@ -67,6 +68,7 @@
 import java.util.stream.IntStream;
 
 @Getter
+@Slf4j
 public class GsonSerializer implements Serializer {
 
     private static final List<DateTimeFormatter> DEFAULT_FORMATTERS = Arrays.asList(
@@ -438,7 +440,7 @@ private static JsonDeserializer<ProductResponse> getProductDeserializer() {
                             }
                         }
                     } catch (IllegalAccessException e) {
-                        System.err.println("Error setting field: " + entry.getKey() + ", " + e.getMessage());
+                        log.warn("Error setting field: {}", entry.getKey(), e);
                     }
                 });