Backported from 5.0.2. Not quite sure if xrootd-4 is actually vulnerable
to this - but just in case.

From fff97c2dc6703dc1ba8b28b1bf67eeb278ff3e22 Mon Sep 17 00:00:00 2001
From: Andrew Hanushevsky <abh@stanford.edu>
Date: Wed, 2 Sep 2020 23:13:52 -0700
Subject: [PATCH] [HTTP] Prevent secret key leakage if specified in the config
 file.

---
 src/XrdHttp/XrdHttpProtocol.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc
index 66b89df20ed..5f50f2aeadd 100644
--- a/src/XrdHttp/XrdHttpProtocol.cc
+++ b/src/XrdHttp/XrdHttpProtocol.cc
@@ -1986,6 +1986,7 @@ int XrdHttpProtocol::xsslcafile(XrdOucStream & Config) {
 
 int XrdHttpProtocol::xsecretkey(XrdOucStream & Config) {
   char *val;
+  bool inFile = false;
 
   // Get the path
   //
@@ -2001,6 +2002,7 @@ int XrdHttpProtocol::xsecretkey(XrdOucStream & Config) {
   // otherwise, the token itself is the secretkey
   if (val[0] == '/') {
     struct stat st;
+    inFile = true;
     if ( stat(val, &st) ) {
       eDest.Emsg("Config", errno, "stat shared secret key file", val);
       return 1;
@@ -2059,6 +2061,7 @@ int XrdHttpProtocol::xsecretkey(XrdOucStream & Config) {
   // Record the path
   if (secretkey) free(secretkey);
   secretkey = strdup(val);
+  if (!inFile) Config.noEcho();
 
   return 0;
 }