# What is sanitized by default This page explains what is removed or redacted when we process a HAR file for our customers. ### **Request Headers** * Headers can contain sensitive information like authorization tokens, API keys, and authentication data. * Default words to scrub: * `Authorization`: Used for access tokens and credentials. * `client_id`: Identifies the client in OAuth scenarios. * `client_secret`: Secret key for OAuth client authentication. * `auth`: Generic authentication headers. * `authenticity_token`: Tokens used to prevent CSRF attacks. * `x-client-data`: Custom header for client-specific data. ### **Cookies** * Cookies may store sensitive session and user information. * Default cookies to scrub: * `access_token`: Token for user authentication. * `refresh_token`: Token to obtain a new access token. * `id_token`: Token representing the user's identity. * `facetID`: Could be used in multi-factor authentication. * `serverData`: Generic server data that could be sensitive. * `vses2`: Example of a custom sensitive cookie. ### **Query and POST Parameters** * These parameters often include sensitive data used in authentication and data transmission. * Default parameters to scrub: * `SAMLRequest`: Used in SAML authentication. * `SAMLResponse`: Response for SAML authentication. * `code`: Authentication code in OAuth. * `code_challenge`: PKCE code challenge in OAuth. * `code_verifier`: PKCE code verifier in OAuth. * `state`: State parameter used in OAuth for CSRF protection. * `usg`: Example of a custom query parameter that could be sensitive. * `appID`: Application identifier. * `assertion`: Assertions used in authentication. * `challenge`: Challenge parameter, potentially in multifactor authentication. * `email`: User's email address. * `password`: User's password. ### **Response Headers** * Certain response headers can reveal sensitive information. * Default response headers to scrub: * `Set-Cookie`: Commonly used for session management and may contain sensitive info. ### **MIME Types** * MIME types indicating specific data formats can contain sensitive information. * Default MIME types to scrub: * `application/javascript`: JavaScript files can contain sensitive data. * `text/javascript`: Textual JavaScript files. * `application/json`: JSON often contains sensitive data. * `application/xml`: XML can also contain sensitive data. ### See something missing? * Check out our article on [Configuration](https://abrega.gitbook.io/securely/secure-har-file-management-with-securely/configuration) to see how you can customize these settings. * If you would like to request that we expand any of this functionality, please [raise a support ticket](https://abrega.atlassian.net/servicedesk/customer/portal/1).