Free, browser-based utilities for everyday developer workflows

Does a HAR file contain cookies and tokens?

Yes — a HAR file records the headers, cookies, and bodies of the requests your browser made, so it can contain session cookies, bearer tokens, API keys, and personal data.

Open this example in HAR Sanitizer

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in HAR Sanitizer →

The problem

A HAR (HTTP Archive) is a JSON capture of network activity. Anything sent or received — Cookie and Set-Cookie headers, Authorization tokens, API keys in URLs, and request/response payloads — is stored verbatim. Treat a HAR like a credential, not a log.

Sample input

Request headers inside a HAR
"headers": [
  { "name": "Authorization", "value": "Bearer example_token" },
  { "name": "Cookie", "value": "sessionid=example_session; csrftoken=example_csrf" },
  { "name": "X-Api-Key", "value": "api_key_example_123" }
]

Expected output

After redaction
"headers": [
  { "name": "Authorization", "value": "[REDACTED]" },
  { "name": "Cookie", "value": "[REDACTED]" },
  { "name": "X-Api-Key", "value": "[REDACTED]" }
]

All three credential-bearing headers are redacted before the HAR is shared.

How to do it

  1. Open the HAR file in a sanitizer.
  2. Search for Cookie and Set-Cookie.
  3. Search for Authorization.
  4. Search for token, api_key, session, and jwt.
  5. Redact every match before sharing.

Common mistakes

  • Assuming browser network logs are safe to share.
  • Checking only headers and ignoring URLs.
  • Forgetting secrets inside request bodies.
  • Forgetting tokens echoed in response bodies.
  • Sharing internal hostnames and endpoint URLs.

Related tools

Related guides

FAQ

Can a HAR file expose my session?

Yes. If it contains your session cookie or a valid bearer token, someone with the HAR could reuse it until it expires.

Can a HAR file contain JWT tokens?

Yes. JWTs commonly appear in Authorization headers or response bodies and are captured in the HAR.

Are cookies included in HAR files?

Yes. Request Cookie headers and response Set-Cookie headers are both recorded.

Can a HAR file contain passwords?

It can. A login request body can include a password field, which is stored in the HAR unless redacted.

How do I safely share a HAR file?

Redact cookies, Authorization headers, tokens, keys, and sensitive body fields first, then share only the sanitized file.

Inspect and redact HAR files locally in your browser. Nothing is uploaded.

Explore more security and debugging tools

Sanitize HAR files, verify webhook signatures, decode JWTs and inspect certificates — grouped in one place.

View the security & debugging toolkit →