diff --git a/common/http_client.py b/common/http_client.py
index e1b276923..d98db0e82 100644
--- a/common/http_client.py
+++ b/common/http_client.py
@@ -144,24 +144,23 @@ async def async_request(
                     method=method, url=url, headers=headers, **kwargs
                 )
                 duration = time.monotonic() - start
-                log_url = "<SENSITIVE ENDPOINT>" if _is_sensitive_url(url) else _redact_sensitive_url_params(url)
-                logger.debug(
-                    f"async_request {method} {log_url} -> {response.status_code} in {duration:.3f}s"
-                )
+                if not _is_sensitive_url(url):
+                    log_url = _redact_sensitive_url_params(url)
+                    logger.debug(f"async_request {method} {log_url} -> {response.status_code} in {duration:.3f}s")
                 return response
             except httpx.RequestError as exc:
                 last_exc = exc
                 if attempt >= retries:
-                    log_url = "<SENSITIVE ENDPOINT>" if _is_sensitive_url(url) else _redact_sensitive_url_params(url)
-                    logger.warning(
-                        f"async_request exhausted retries for {method} {log_url}"
-                    )
+                    if not _is_sensitive_url(url):
+                        log_url = _redact_sensitive_url_params(url)
+                        logger.warning(f"async_request exhausted retries for {method} {log_url}")
                     raise
                 delay = _get_delay(backoff_factor, attempt)
-                log_url = "<SENSITIVE ENDPOINT>" if _is_sensitive_url(url) else _redact_sensitive_url_params(url)
-                logger.warning(
-                    f"async_request attempt {attempt + 1}/{retries + 1} failed for {method} {log_url}; retrying in {delay:.2f}s"
-                )
+                if not _is_sensitive_url(url):
+                    log_url = _redact_sensitive_url_params(url)
+                    logger.warning(
+                        f"async_request attempt {attempt + 1}/{retries + 1} failed for {method} {log_url}; retrying in {delay:.2f}s"
+                    )
                 await asyncio.sleep(delay)
         raise last_exc  # pragma: no cover
 
diff --git a/rag/utils/opendal_conn.py b/rag/utils/opendal_conn.py
index caa81244e..c261665f7 100644
--- a/rag/utils/opendal_conn.py
+++ b/rag/utils/opendal_conn.py
@@ -45,9 +45,9 @@ def get_opendal_config():
         # Only include non-sensitive keys in logs. Do NOT
         # add 'password' or any key containing embedded credentials
         # (like 'connection_string').
-        safe_log_keys = ['scheme', 'host', 'port', 'database', 'table']
-        loggable_kwargs = {k: v for k, v in kwargs.items() if k in safe_log_keys}
-        logging.info("Loaded OpenDAL configuration (non sensitive): %s", loggable_kwargs)
+        SAFE_LOG_KEYS = ['scheme', 'host', 'port', 'database', 'table'] # explicitly non-sensitive
+        loggable_kwargs = {k: v for k, v in kwargs.items() if k in SAFE_LOG_KEYS}
+        logging.info("Loaded OpenDAL configuration (non sensitive fields only): %s", loggable_kwargs)
 
         # For safety, explicitly remove sensitive keys from kwargs after use
         if "password" in kwargs: