# What is sanitized by default This page explains what is removed or redacted when we process a HAR file for our customers. ### **Request Headers** * Headers can contain sensitive information like authorization tokens, API keys, and authentication data. * Default words to scrub: * `Authorization`: Used for access tokens and credentials. * `client_id`: Identifies the client in OAuth scenarios. * `client_secret`: Secret key for OAuth client authentication. * `auth`: Generic authentication headers. * `authenticity_token`: Tokens used to prevent CSRF attacks. * `x-client-data`: Custom header for client-specific data. ### **Cookies** * Cookies may store sensitive session and user information. * Default cookies to scrub: * `access_token`: Token for user authentication. * `refresh_token`: Token to obtain a new access token. * `id_token`: Token representing the user's identity. * `facetID`: Could be used in multi-factor authentication. * `serverData`: Generic server data that could be sensitive. * `vses2`: Example of a custom sensitive cookie. ### **Query and POST Parameters** * These parameters often include sensitive data used in authentication and data transmission. * Default parameters to scrub: * `SAMLRequest`: Used in SAML authentication. * `SAMLResponse`: Response for SAML authentication. * `code`: Authentication code in OAuth. * `code_challenge`: PKCE code challenge in OAuth. * `code_verifier`: PKCE code verifier in OAuth. * `state`: State parameter used in OAuth for CSRF protection. * `usg`: Example of a custom query parameter that could be sensitive. * `appID`: Application identifier. * `assertion`: Assertions used in authentication. * `challenge`: Challenge parameter, potentially in multifactor authentication. * `email`: User's email address. * `password`: User's password. ### **Response Headers** * Certain response headers can reveal sensitive information. * Default response headers to scrub: * `Set-Cookie`: Commonly used for session management and may contain sensitive info. ### **MIME Types** * MIME types indicating specific data formats can contain sensitive information. * Default MIME types to scrub: * `application/javascript`: JavaScript files can contain sensitive data. * `text/javascript`: Textual JavaScript files. * `application/json`: JSON often contains sensitive data. * `application/xml`: XML can also contain sensitive data. ### See something missing? * Check out our article on [Configuration](/securely/secure-har-file-management-with-securely/configuration.md) to see how you can customize these settings. * If you would like to request that we expand any of this functionality, please [raise a support ticket](https://abrega.atlassian.net/servicedesk/customer/portal/1). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://abrega.gitbook.io/securely/secure-har-file-management-with-securely/what-is-sanitized-by-default.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.