Sanitize a HAR file before sharing it with support
A HAR file is a full recording of browser network activity — including cookies, Authorization headers, and tokens. Redact those before sharing it with a vendor or support team.
Open the tool, then paste the sample input below. Everything runs locally in your browser.
The problem
Support teams often ask for a HAR file to debug an issue, but a raw HAR can hand over live session cookies and bearer tokens. Redacting sensitive headers, cookies, and body fields lets you share the useful network trace without the credentials.
Sample input
{
"log": {
"entries": [
{
"request": {
"url": "https://api.example.com/account",
"headers": [
{ "name": "Authorization", "value": "Bearer example_token" },
{ "name": "Cookie", "value": "sessionid=example_session" }
]
}
}
]
}
}
Expected output
{
"log": {
"entries": [
{
"request": {
"url": "https://api.example.com/account",
"headers": [
{ "name": "Authorization", "value": "[REDACTED]" },
{ "name": "Cookie", "value": "[REDACTED]" }
]
}
}
]
}
}
The Authorization and Cookie header values are replaced with [REDACTED] while the request structure stays intact for debugging.
How to do it
- Export the HAR from your browser DevTools Network tab.
- Open the HAR Sanitizer.
- Paste or load the HAR file.
- Redact sensitive headers, cookies, tokens, and matching body fields.
- Review the sanitized result, including request and response bodies.
- Share only the sanitized HAR file.
Common mistakes
- Sending a raw HAR file straight to a vendor.
- Redacting headers but forgetting cookies and Authorization values.
- Not checking secrets passed in query parameters.
- Leaving sensitive data in request or response bodies.
- Assuming HAR files are harmless logs.
Related tools
- Scan text for secrets
- Decode JWTs and OAuth tokens
- Verify webhook signatures
- Parse URLs and query strings
Related guides
FAQ
Should I sanitize a HAR file before sharing?
Yes. A HAR can contain live cookies, tokens, and personal data. Redact those before sharing it with anyone outside your trust boundary.
What sensitive data can a HAR file contain?
Cookies, Authorization headers, bearer tokens, API keys, query-string secrets, and full request and response bodies that may include personal data.
Can HAR files contain cookies?
Yes. Captured requests include Cookie headers, and responses can include Set-Cookie headers — both can expose a session.
Is the HAR file uploaded to a server?
No. The HAR Sanitizer processes the file locally in your browser; nothing is uploaded.
What should I check before sending a HAR file?
Authorization and Cookie headers, Set-Cookie responses, tokens or keys in URLs, and any personal data in request or response bodies.
The HAR Sanitizer runs locally in your browser. Your HAR file is never uploaded. Always review the redactions before sharing.
Sanitize HAR files, verify webhook signatures, decode JWTs and inspect certificates — grouped in one place.
Practical example and expected result
A HAR file is a full recording of browser network activity — including cookies, Authorization headers, and tokens. Redact those before sharing it with a vendor or support team. In practice, this is most useful when you need a quick, repeatable check on a HAR capture before adding it to a ticket, pull request, test fixture, or support note.
A realistic input for this workflow is { "log": { "entries": [ { "request": { "url": "https://api.example.com/account", "headers": [ { "name": "Authorization", "value": "Bearer ex.... The expected result should resemble { "log": { "entries": [ { "request": { "url": "https://api.example.com/account", "headers": [ { "name": "Authorization", "value": "[REDACTED..., with the same important values preserved.
Troubleshooting checklist
- Confirm you copied the complete HAR capture and not only a partial line or truncated preview.
- Run the local tool once with a safe sample, then repeat with the real data only if your team policy allows it.
- Check quoting, escaping, whitespace, encoding, timestamps, and environment-specific values before trusting the result.
- Before sharing output, remove secrets, tokens, cookies, customer data, and production hostnames that are not needed for the review.
Next useful steps
- Open this example in HAR Sanitizer → for a related validation or follow-up step.
- Scan text for secrets for a related validation or follow-up step.
- Decode JWTs and OAuth tokens for a related validation or follow-up step.
- Use Magic Box when you are not sure which tool should handle the next artifact.