Evidence Sanitizer scans evidence text forDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
Cookie request headers and redacts individual cookie values based on per-name classification. Rather than redacting all cookies blindly, the engine parses the header value into name/value pairs and classifies each name — sensitive session and auth cookies, telemetry tracker cookies, and unknown cookies are all redacted, while a small set of harmless preference cookies (such as theme) are preserved. If the cookie header cannot be parsed safely, the entire header value is replaced with a single fallback marker.
Two Rule IDs
| Rule ID | Marker | When Used |
|---|---|---|
cookie.value | <REDACTED:cookie.value> | Per-cookie value replacement for successfully parsed headers |
cookie.header | <REDACTED:cookie.header> | Whole-header fallback when cookie parsing fails |
Cookie Name Classification
Each cookie name is normalized to ASCII lowercase before classification. Classification is checked in this order:- Sensitive — exact name in the sensitive set → REDACTED
- Sensitive family — name starts with a sensitive prefix family → REDACTED
- Telemetry — exact name in the telemetry set → REDACTED
- Telemetry prefix — name starts with a telemetry prefix family → REDACTED
- Harmless — exact name in the harmless set → PRESERVED
- Unknown — anything else → REDACTED
Unknown cookie names are redacted by default. Only cookies explicitly listed in the harmless set are preserved.
Sensitive Cookie Names — Always Redacted
These exact names (case-insensitive) are classified as sensitive:session, sessionid, session_id, sid, auth, auth_token, access_token, refresh_token, token, jwt, sso, sso_state, username, user, userid, user_id, email, identity, account, account_id, customer, customer_id, tenant, tenant_id, portalauth, asp.net_sessionid, jsessionid, phpsessid, connect.sid, laravel_session
Additionally, the following name prefix families are treated as sensitive:
- Names starting with
aspsessionidfollowed by alphanumeric characters (e.g.,aspsessionidabcd1234) - Names starting with
remember_web_followed by one or more HTTP token characters (e.g.,remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d)
Telemetry Cookie Names — Always Redacted
These exact names are classified as telemetry (analytics/tracking cookies):_ga, _gid, _gat, _fbp, _fbc, _hjid, _clck, _clsk, ajs_anonymous_id, ajs_user_id, _mkto_trk, hubspotutk, __hstc, __hssc, __hssrc
Additionally, names starting with any of these prefixes (with additional characters after the prefix) are classified as telemetry:
_ga_, _gat_, _hjsession_, _hjsessionuser_, amplitude_, amp_, mp_
Harmless Cookie Names — Always Preserved
Only these three names are preserved without redaction:theme, color_scheme, display_mode
Before/After Example
session→ sensitive → redacted_ga→ telemetry → redactedtheme→ harmless → preservedunknown→ unknown → redacted
Fallback: cookie.header
If the cookie header value cannot be parsed into valid name/value pairs — for example due to malformed syntax, unsupported control characters, or unterminated quoted values — the entire trimmed header value is replaced with a single <REDACTED:cookie.header> marker.
Idempotence
If the trimmed header value is exactly<REDACTED:cookie.value> or <REDACTED:cookie.header>, no finding is produced. Individual cookie values that are already an approved cookie marker are also skipped.
Exact Line-Start Matching
TheCookie header name must appear at the very start of a physical line. The name match is case-insensitive.
Folded
Cookie headers — where the next physical line starts with a space or tab — are not supported. Folded Cookie headers are left unchanged.Out of Scope
Set-Cookieresponse headers are not matched by any rule.- Folded
Cookieheaders are left unchanged. - Cookie attribute directives (
Path,Domain,Expires,HttpOnly,Secure,SameSite) appear only inSet-Cookieand are therefore out of scope.