What is sanitized by default

This page explains what is removed or redacted when we process a HAR file for our customers.

Request Headers

  • Headers can contain sensitive information like authorization tokens, API keys, and authentication data.

  • Default words to scrub:

    • Authorization: Used for access tokens and credentials.

    • client_id: Identifies the client in OAuth scenarios.

    • client_secret: Secret key for OAuth client authentication.

    • auth: Generic authentication headers.

    • authenticity_token: Tokens used to prevent CSRF attacks.

    • x-client-data: Custom header for client-specific data.

Cookies

  • Cookies may store sensitive session and user information.

  • Default cookies to scrub:

    • access_token: Token for user authentication.

    • refresh_token: Token to obtain a new access token.

    • id_token: Token representing the user's identity.

    • facetID: Could be used in multi-factor authentication.

    • serverData: Generic server data that could be sensitive.

    • vses2: Example of a custom sensitive cookie.

Query and POST Parameters

  • These parameters often include sensitive data used in authentication and data transmission.

  • Default parameters to scrub:

    • SAMLRequest: Used in SAML authentication.

    • SAMLResponse: Response for SAML authentication.

    • code: Authentication code in OAuth.

    • code_challenge: PKCE code challenge in OAuth.

    • code_verifier: PKCE code verifier in OAuth.

    • state: State parameter used in OAuth for CSRF protection.

    • usg: Example of a custom query parameter that could be sensitive.

    • appID: Application identifier.

    • assertion: Assertions used in authentication.

    • challenge: Challenge parameter, potentially in multifactor authentication.

    • email: User's email address.

    • password: User's password.

Response Headers

  • Certain response headers can reveal sensitive information.

  • Default response headers to scrub:

    • Set-Cookie: Commonly used for session management and may contain sensitive info.

MIME Types

  • MIME types indicating specific data formats can contain sensitive information.

  • Default MIME types to scrub:

    • application/javascript: JavaScript files can contain sensitive data.

    • text/javascript: Textual JavaScript files.

    • application/json: JSON often contains sensitive data.

    • application/xml: XML can also contain sensitive data.

See something missing?

  • Check out our article on Configuration to see how you can customize these settings.

  • If you would like to request that we expand any of this functionality, please raise a support ticket.

PreviousSecure HAR File Management with SecurelyNextJira Service Management Customer Portal

Last updated