How to use the HAR Sanitizer & Replay Packager
Sanitize Chrome, Firefox, or Edge HAR (HTTP Archive) files before sharing API traces with vendors, support, Jira, or GitHub issues. The HAR Sanitizer redacts Authorization headers, cookies, API keys, JWTs, query-string secrets, and sensitive body fields, then exports a replay-ready bundle as cURL, Postman, or fetch snippets. Useful for incident sharing, vendor support tickets, and offline debugging without leaking session tokens or PII. Runs locally; HAR files never leave your browser.
What it does
- Redacts Authorization (Bearer, Basic), cookies,
X-Api-Key, custom auth, and query secrets (access_token, token, sig).
- Scans request and response bodies for tokens, JWTs, PII, and secrets.
- Per-entry include / exclude — drop noise (analytics, fonts, images) from the export.
- Replay export: produce cURL commands, Postman collection, or fetch snippets for the surviving entries.
- Handles multi-megabyte HARs from SPAs without uploading anything.
- Diff two HARs to see what changed between recordings.
When to use it
- A vendor's support team asks for a HAR file to debug an API integration.
- Attach network logs to a Jira / GitHub issue without leaking session tokens.
- QA is sharing a HAR recording with a third-party contractor.
- You need a sanitized replay package for offline debugging.
- Audit which third-party requests your app makes.
- Compare HARs before and after a release to spot regressions.
How to use it
- Export a HAR from Chrome DevTools: Network → right-click → "Save all as HAR with content".
- Open the HAR Sanitizer and load (or paste) the HAR JSON.
- Review detected sensitive headers, cookies, and body matches. Toggle which to redact.
- Filter entries — drop analytics, fonts, images, and noisy CDN calls.
- Export the sanitized HAR, a Postman collection, cURL commands, or fetch snippets.
- Attach the sanitized output to the ticket. Verify the redactions before sharing.
Tips & pitfalls
- HAR includes full request and response bodies — PII in JSON payloads is a common leak source. Review body redaction, not just headers.
- The sanitized HAR is for sharing, not for live replay — credentials are gone. Re-inject valid credentials in the replay environment.
- Multi-megabyte HARs from SPAs are handled in-browser, but expect a brief delay on slower devices.
- Strip
Set-Cookie response headers before sharing — session cookies are usable until they expire.
- Some vendors send tokens in query strings — check the URL field, not just headers.
- For pure secret detection on arbitrary text, the Secrets Scanner covers more pattern types.
FAQ
- How do I export a HAR from Chrome? Open DevTools → Network → right-click any request → "Save all as HAR with content".
- What does HAR Sanitizer redact? Authorization headers, cookies, common API key headers, query-string secrets, and body fields that match secret / PII patterns.
- Can I replay the sanitized HAR? Not directly — credentials are removed. Use the cURL / Postman / fetch export and re-inject test credentials.
- Is the HAR uploaded? No. The HAR is parsed and sanitized in your browser using a Web Worker. Nothing is sent to a server.
- How big a HAR can it handle? Tens to a hundred MB on modern browsers; larger files may slow down rendering.
- Can it sanitize response bodies? Yes — JSON, form-encoded, and text bodies are scanned and redacted with the same patterns.
Related tools
Use-case guides
Runs locally in your browser using a Web Worker. No uploads. Always review redactions before sharing — sensitive data in response bodies is a common leak.
Want to dig into one HAR entry instead of the whole capture? The API Debugging Studio builds a multi-panel debugging board for any selected entry.
