Evidence Sanitizer treatsDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
Proxy-Authorization headers as a fully independent rule family from Authorization. The detection logic mirrors the Authorization rules in structure, but uses dedicated rule IDs and markers so that proxy credential findings are always clearly distinguished in reports. Matching is case-insensitive on the header name and operates on exact line-start matches in raw text — no HTTP message parsing is performed.
Three Rule IDs
proxy_authorization.bearer
Matches Proxy-Authorization: Bearer <credential> where the credential is a single non-whitespace token.
- Marker:
<REDACTED:proxy_authorization.bearer> - Requirement: exactly one whitespace-free credential token after the scheme
proxy_authorization.basic
Matches Proxy-Authorization: Basic <credential> where the credential is a single non-whitespace token.
- Marker:
<REDACTED:proxy_authorization.basic> - Requirement: exactly one whitespace-free credential token after the scheme
- No Base64 decode: the encoded value is replaced as-is
proxy_authorization.other
Matches any other syntactically valid Proxy-Authorization scheme and replaces the full credential section following the scheme name.
- Marker:
<REDACTED:proxy_authorization.credentials> - Accepts credential sections with internal spaces (e.g.,
Digestparameter lists)
Exact Line-Start Matching
TheProxy-Authorization header name must appear at the very start of a physical line. The header name match is case-insensitive. Optional horizontal whitespace is permitted between the header name and :, and between : and the scheme.
Folded proxy headers — where the next physical line starts with a space or tab — are not supported and are left unchanged. However, folded
Proxy-Authorization spans are tracked as protected regions so that the form, query, and JSON scanners do not redact inside them.Idempotence
If the credential section is already one of the three approved proxy markers, no finding is produced. The approved proxy markers are:<REDACTED:proxy_authorization.bearer><REDACTED:proxy_authorization.basic><REDACTED:proxy_authorization.credentials>
Complete Before/After Example
Out of Scope
The following proxy-related headers are explicitly not matched by any rule:Proxy-Authenticate(response challenge header)WWW-AuthenticateX-Proxy-AuthorizationForwardedX-Forwarded-*header familyVia- Any other proxy-related or forwarding header
Proxy-Authorization headers are within scope.