What is sanitized by default
This page explains what is removed or redacted when we process a HAR file for our customers.
Request Headers
Headers can contain sensitive information like authorization tokens, API keys, and authentication data.
Default words to scrub:
Authorization
: Used for access tokens and credentials.client_id
: Identifies the client in OAuth scenarios.client_secret
: Secret key for OAuth client authentication.auth
: Generic authentication headers.authenticity_token
: Tokens used to prevent CSRF attacks.x-client-data
: Custom header for client-specific data.
Cookies
Cookies may store sensitive session and user information.
Default cookies to scrub:
access_token
: Token for user authentication.refresh_token
: Token to obtain a new access token.id_token
: Token representing the user's identity.facetID
: Could be used in multi-factor authentication.serverData
: Generic server data that could be sensitive.vses2
: Example of a custom sensitive cookie.
Query and POST Parameters
These parameters often include sensitive data used in authentication and data transmission.
Default parameters to scrub:
SAMLRequest
: Used in SAML authentication.SAMLResponse
: Response for SAML authentication.code
: Authentication code in OAuth.code_challenge
: PKCE code challenge in OAuth.code_verifier
: PKCE code verifier in OAuth.state
: State parameter used in OAuth for CSRF protection.usg
: Example of a custom query parameter that could be sensitive.appID
: Application identifier.assertion
: Assertions used in authentication.challenge
: Challenge parameter, potentially in multifactor authentication.email
: User's email address.password
: User's password.
Response Headers
Certain response headers can reveal sensitive information.
Default response headers to scrub:
Set-Cookie
: Commonly used for session management and may contain sensitive info.
MIME Types
MIME types indicating specific data formats can contain sensitive information.
Default MIME types to scrub:
application/javascript
: JavaScript files can contain sensitive data.text/javascript
: Textual JavaScript files.application/json
: JSON often contains sensitive data.application/xml
: XML can also contain sensitive data.
See something missing?
Last updated