diff --git a/inventory/sample/group_vars/all/containerd.yml b/inventory/sample/group_vars/all/containerd.yml
index 906437df0..efa1769fc 100644
--- a/inventory/sample/group_vars/all/containerd.yml
+++ b/inventory/sample/group_vars/all/containerd.yml
@@ -50,6 +50,8 @@
 #     - host: https://registry-1.docker.io
 #       capabilities: ["pull", "resolve"]
 #       skip_verify: false
+#       header:
+#         Authorization: "Basic XXX"
 
 # containerd_max_container_log_line_size: 16384
 
diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
index 7f76ef331..a0865bd78 100644
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -64,7 +64,8 @@ containerd_registries_mirrors:
         skip_verify: false
 #        ca: ["/etc/certs/mirror.pem"]
 #        client: [["/etc/certs/client.pem", ""],["/etc/certs/client.cert", "/etc/certs/client.key"]]
-
+#        header:
+#          Authorization: "Basic XXX"
 containerd_max_container_log_line_size: 16384
 
 # If enabled it will allow non root users to use port numbers <1024
diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
index fec1410fc..ae726b78d 100644
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -73,6 +73,8 @@
   notify: Restart containerd
 
 - name: Containerd | Configure containerd registries
+  # mirror configuration can contain sensitive information on headers configuration
+  no_log: "{{ not (unsafe_show_logs | bool) }}"
   block:
     - name: Containerd | Create registry directories
       file:
diff --git a/roles/container-engine/containerd/templates/hosts.toml.j2 b/roles/container-engine/containerd/templates/hosts.toml.j2
index b2b16a65f..0f5b3d013 100644
--- a/roles/container-engine/containerd/templates/hosts.toml.j2
+++ b/roles/container-engine/containerd/templates/hosts.toml.j2
@@ -10,4 +10,10 @@ server = "{{ item.server | default("https://" + item.prefix) }}"
 {% if mirror.client is defined %}
   client = [{% for pair in mirror.client %}["{{ pair[0] }}", "{{ pair[1] }}"]{% if not loop.last %},{% endif %}{% endfor %}]
 {% endif %}
+{% if mirror.header is defined %}
+  [host."{{ mirror.host }}".header]
+{% for key, value in mirror.header.items() %}
+    {{ key }} = ["{{ ([ value ] | flatten ) | join('","') }}"]
+{% endfor %}
+{% endif %}
 {% endfor %}