Filtering HTTP AUTH info in message


In some of my messages (and metadata.value), http auth credentials are contained in a url. Is there any chance of filtering those?

As far as I understand, the sensitive fields setting does not apply to the message itself, and one can only exclude whole fields, not parts of a field. Is this understanding correct?