Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer scans evidence text for lines that begin with an Authorization header and replaces the credential portion with a deterministic marker. Matching is case-insensitive on the header name and operates directly on raw text lines — there is no HTTP message parsing, body-boundary awareness, or Content-Length tracking. Three rule IDs cover the three common credential shapes: Bearer tokens, Base64-encoded Basic credentials, and any other HTTP token scheme.

Three Rule IDs

authorization.bearer

Matches Authorization: Bearer <credential> where the credential is a single non-whitespace token (no embedded spaces or tabs).
  • Marker: <REDACTED:authorization.bearer>
  • Requirement: exactly one whitespace-free credential token after the scheme
  • No semantic validation: the token value is not decoded or inspected
Authorization: Bearer synthetic-bearer-token
Authorization: Bearer <REDACTED:authorization.bearer>

authorization.basic

Matches Authorization: Basic <credential> where the credential is a single non-whitespace token.
  • Marker: <REDACTED:authorization.basic>
  • Requirement: exactly one whitespace-free credential token after the scheme
  • No Base64 decode: the encoded value is replaced as-is; username/password are never extracted
Authorization: Basic synthetic-basic-token
Authorization: Basic <REDACTED:authorization.basic>

authorization.other

Matches any other syntactically valid Authorization scheme — where the scheme is composed of HTTP token characters — and replaces the full credential section following the scheme name.
  • Marker: <REDACTED:authorization.credentials>
  • No single-token requirement: the credential section may contain spaces (e.g., Digest parameters)
  • Scheme character set: !#$%&'*+-.^_|~` plus alphanumerics
Authorization: AMX app:signature:nonce
Authorization: AMX <REDACTED:authorization.credentials>

Exact Line-Start Matching

The Authorization header name must appear at the very start of a physical line. The matching is case-insensitive — authorization, AUTHORIZATION, and Authorization are all matched. Optional horizontal whitespace (space or tab) is permitted between the header name and the : separator, and between : and the scheme.
Folded headers — where the next physical line starts with a space or tab — are not supported. Folded Authorization headers are left unchanged.

Idempotence

If the credential section of an Authorization header is already one of the three approved markers, no finding is produced and the line is not modified on subsequent passes. The approved markers for idempotence are:
  • <REDACTED:authorization.bearer>
  • <REDACTED:authorization.basic>
  • <REDACTED:authorization.credentials>
Idempotence applies per-marker. A line containing <REDACTED:authorization.bearer> is skipped even if the scheme is Basic — the presence of any approved marker in the credential position suppresses the finding.

Complete Before/After Example

The following shows all three rule IDs firing in one evidence snippet:
Authorization: Bearer synthetic-bearer-token
Authorization: Basic synthetic-basic-token
Authorization: AMX app:signature:nonce
Authorization: Bearer <REDACTED:authorization.bearer>
Authorization: Basic <REDACTED:authorization.basic>
Authorization: AMX <REDACTED:authorization.credentials>

Out of Scope

  • Proxy-Authorization is handled by its own dedicated rule family (Proxy-Auth).
  • WWW-Authenticate and Proxy-Authenticate response headers are not matched.
  • Folded Authorization headers (continuation lines starting with space/tab) are left unchanged.
  • Multi-credential or parameterized Bearer tokens that contain embedded whitespace are not matched by authorization.bearer or authorization.basic — only authorization.other accepts credential sections with internal spaces.

Build docs developers (and LLMs) love