Free, browser-based utilities for everyday developer workflows

Sanitize a HAR file before sharing it with support

A HAR file is a full recording of browser network activity — including cookies, Authorization headers, and tokens. Redact those before sharing it with a vendor or support team.

Open this example in HAR Sanitizer

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in HAR Sanitizer →

The problem

Support teams often ask for a HAR file to debug an issue, but a raw HAR can hand over live session cookies and bearer tokens. Redacting sensitive headers, cookies, and body fields lets you share the useful network trace without the credentials.

Sample input

Raw HAR entry (sensitive)
{
  "log": {
    "entries": [
      {
        "request": {
          "url": "https://api.example.com/account",
          "headers": [
            { "name": "Authorization", "value": "Bearer example_token" },
            { "name": "Cookie", "value": "sessionid=example_session" }
          ]
        }
      }
    ]
  }
}

Expected output

Sanitized HAR entry
{
  "log": {
    "entries": [
      {
        "request": {
          "url": "https://api.example.com/account",
          "headers": [
            { "name": "Authorization", "value": "[REDACTED]" },
            { "name": "Cookie", "value": "[REDACTED]" }
          ]
        }
      }
    ]
  }
}

The Authorization and Cookie header values are replaced with [REDACTED] while the request structure stays intact for debugging.

How to do it

  1. Export the HAR from your browser DevTools Network tab.
  2. Open the HAR Sanitizer.
  3. Paste or load the HAR file.
  4. Redact sensitive headers, cookies, tokens, and matching body fields.
  5. Review the sanitized result, including request and response bodies.
  6. Share only the sanitized HAR file.

Common mistakes

  • Sending a raw HAR file straight to a vendor.
  • Redacting headers but forgetting cookies and Authorization values.
  • Not checking secrets passed in query parameters.
  • Leaving sensitive data in request or response bodies.
  • Assuming HAR files are harmless logs.

Related tools

Related guides

FAQ

Should I sanitize a HAR file before sharing?

Yes. A HAR can contain live cookies, tokens, and personal data. Redact those before sharing it with anyone outside your trust boundary.

What sensitive data can a HAR file contain?

Cookies, Authorization headers, bearer tokens, API keys, query-string secrets, and full request and response bodies that may include personal data.

Can HAR files contain cookies?

Yes. Captured requests include Cookie headers, and responses can include Set-Cookie headers — both can expose a session.

Is the HAR file uploaded to a server?

No. The HAR Sanitizer processes the file locally in your browser; nothing is uploaded.

What should I check before sending a HAR file?

Authorization and Cookie headers, Set-Cookie responses, tokens or keys in URLs, and any personal data in request or response bodies.

The HAR Sanitizer runs locally in your browser. Your HAR file is never uploaded. Always review the redactions before sharing.

Explore more security and debugging tools

Sanitize HAR files, verify webhook signatures, decode JWTs and inspect certificates — grouped in one place.

View the security & debugging toolkit →