When at debug level, the HTTP Authorization header, including the base64-encoded username:password, is written to the error_log.
The access_log has an optional `if` clause. If error_log also provides an optional `if` clause, we can filter out sensitive information, ie the Authorization header.
It is understandable that the access_log has far fewer log entries than the error_log, so support for the `if` clause was reasonable to not support. However, how to achieve ensuring sensitive information is not logged via the error_log is otherwise difficult to achieve.