Evidence Sanitizer scans evidence text for lines that begin with anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header and replaces the credential portion with a deterministic marker. Matching is case-insensitive on the header name and operates directly on raw text lines — there is no HTTP message parsing, body-boundary awareness, or Content-Length tracking. Three rule IDs cover the three common credential shapes: Bearer tokens, Base64-encoded Basic credentials, and any other HTTP token scheme.
Three Rule IDs
authorization.bearer
Matches Authorization: Bearer <credential> where the credential is a single non-whitespace token (no embedded spaces or tabs).
- Marker:
<REDACTED:authorization.bearer> - Requirement: exactly one whitespace-free credential token after the scheme
- No semantic validation: the token value is not decoded or inspected
authorization.basic
Matches Authorization: Basic <credential> where the credential is a single non-whitespace token.
- Marker:
<REDACTED:authorization.basic> - Requirement: exactly one whitespace-free credential token after the scheme
- No Base64 decode: the encoded value is replaced as-is; username/password are never extracted
authorization.other
Matches any other syntactically valid Authorization scheme — where the scheme is composed of HTTP token characters — and replaces the full credential section following the scheme name.
- Marker:
<REDACTED:authorization.credentials> - No single-token requirement: the credential section may contain spaces (e.g.,
Digestparameters) - Scheme character set:
!#$%&'*+-.^_|~` plus alphanumerics
Exact Line-Start Matching
TheAuthorization header name must appear at the very start of a physical line. The matching is case-insensitive — authorization, AUTHORIZATION, and Authorization are all matched. Optional horizontal whitespace (space or tab) is permitted between the header name and the : separator, and between : and the scheme.
Folded headers — where the next physical line starts with a space or tab — are not supported. Folded
Authorization headers are left unchanged.Idempotence
If the credential section of anAuthorization header is already one of the three approved markers, no finding is produced and the line is not modified on subsequent passes.
The approved markers for idempotence are:
<REDACTED:authorization.bearer><REDACTED:authorization.basic><REDACTED:authorization.credentials>
Complete Before/After Example
The following shows all three rule IDs firing in one evidence snippet:Out of Scope
Proxy-Authorizationis handled by its own dedicated rule family (Proxy-Auth).WWW-AuthenticateandProxy-Authenticateresponse headers are not matched.- Folded
Authorizationheaders (continuation lines starting with space/tab) are left unchanged. - Multi-credential or parameterized Bearer tokens that contain embedded whitespace are not matched by
authorization.bearerorauthorization.basic— onlyauthorization.otheraccepts credential sections with internal spaces.