Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer scans evidence text for Cookie request headers and redacts individual cookie values based on per-name classification. Rather than redacting all cookies blindly, the engine parses the header value into name/value pairs and classifies each name — sensitive session and auth cookies, telemetry tracker cookies, and unknown cookies are all redacted, while a small set of harmless preference cookies (such as theme) are preserved. If the cookie header cannot be parsed safely, the entire header value is replaced with a single fallback marker.

Two Rule IDs

Rule IDMarkerWhen Used
cookie.value<REDACTED:cookie.value>Per-cookie value replacement for successfully parsed headers
cookie.header<REDACTED:cookie.header>Whole-header fallback when cookie parsing fails
Each cookie name is normalized to ASCII lowercase before classification. Classification is checked in this order:
  1. Sensitive — exact name in the sensitive set → REDACTED
  2. Sensitive family — name starts with a sensitive prefix family → REDACTED
  3. Telemetry — exact name in the telemetry set → REDACTED
  4. Telemetry prefix — name starts with a telemetry prefix family → REDACTED
  5. Harmless — exact name in the harmless set → PRESERVED
  6. Unknown — anything else → REDACTED
Unknown cookie names are redacted by default. Only cookies explicitly listed in the harmless set are preserved.
These exact names (case-insensitive) are classified as sensitive: session, sessionid, session_id, sid, auth, auth_token, access_token, refresh_token, token, jwt, sso, sso_state, username, user, userid, user_id, email, identity, account, account_id, customer, customer_id, tenant, tenant_id, portalauth, asp.net_sessionid, jsessionid, phpsessid, connect.sid, laravel_session Additionally, the following name prefix families are treated as sensitive:
  • Names starting with aspsessionid followed by alphanumeric characters (e.g., aspsessionidabcd1234)
  • Names starting with remember_web_ followed by one or more HTTP token characters (e.g., remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d)
These exact names are classified as telemetry (analytics/tracking cookies): _ga, _gid, _gat, _fbp, _fbc, _hjid, _clck, _clsk, ajs_anonymous_id, ajs_user_id, _mkto_trk, hubspotutk, __hstc, __hssc, __hssrc Additionally, names starting with any of these prefixes (with additional characters after the prefix) are classified as telemetry: _ga_, _gat_, _hjsession_, _hjsessionuser_, amplitude_, amp_, mp_ Only these three names are preserved without redaction: theme, color_scheme, display_mode

Before/After Example

Cookie: session=synthetic-session-cookie; _ga=synthetic-telemetry-id; theme=dark; unknown=synthetic-value
Cookie: session=<REDACTED:cookie.value>; _ga=<REDACTED:cookie.value>; theme=dark; unknown=<REDACTED:cookie.value>
In this example:
  • session → sensitive → redacted
  • _ga → telemetry → redacted
  • theme → harmless → preserved
  • unknown → unknown → redacted
If the cookie header value cannot be parsed into valid name/value pairs — for example due to malformed syntax, unsupported control characters, or unterminated quoted values — the entire trimmed header value is replaced with a single <REDACTED:cookie.header> marker.
Cookie: @@malformed@@
Cookie: <REDACTED:cookie.header>
When fallback triggers, all cookie values in the header (including harmless ones) are replaced together. The cookie.header fallback is conservative — malformed evidence is fully redacted.

Idempotence

If the trimmed header value is exactly <REDACTED:cookie.value> or <REDACTED:cookie.header>, no finding is produced. Individual cookie values that are already an approved cookie marker are also skipped.

Exact Line-Start Matching

The Cookie header name must appear at the very start of a physical line. The name match is case-insensitive.
Folded Cookie headers — where the next physical line starts with a space or tab — are not supported. Folded Cookie headers are left unchanged.

Out of Scope

  • Set-Cookie response headers are not matched by any rule.
  • Folded Cookie headers are left unchanged.
  • Cookie attribute directives (Path, Domain, Expires, HttpOnly, Secure, SameSite) appear only in Set-Cookie and are therefore out of scope.

Build docs developers (and LLMs) love