Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer scans raw evidence text for URL query strings and replaces values of known sensitive parameter names with the query.secret marker. Scanning starts at every ? character found anywhere in the text — no URL parsing, no scheme validation, and no per-line restriction. Parameter names are matched case-insensitively against a fixed list. The scanner operates on the raw text as written; no percent-decoding or URL normalization is performed.

Rule ID and Marker

Rule IDMarker
query.secret<REDACTED:query.secret>

Sensitive Query Parameter Names

The following parameter names trigger query.secret redaction (case-insensitive): access_token, auth_token, id_token, jwt, refresh_token, session, session_id, sid, token, api-key, api_key, apikey, client_secret, sig, signature, x-amz-credential, x-amz-security-token, x-amz-signature, x-goog-credential, x-goog-signature

Before/After Example

GET /api/profile?access_token=synthetic-token&sig=synthetic-signature&theme=dark HTTP/1.1
GET /api/profile?access_token=<REDACTED:query.secret>&sig=<REDACTED:query.secret>&theme=dark HTTP/1.1
From the golden fixture http_request_mixed, three query parameters fire in one request line:
GET /api/profile?access_token=synthetic-access-token&sig=synthetic-signature&api_key=synthetic-api-key&theme=dark HTTP/1.1
GET /api/profile?access_token=<REDACTED:query.secret>&sig=<REDACTED:query.secret>&api_key=<REDACTED:query.secret>&theme=dark HTTP/1.1
theme is not in the sensitive parameter list and is left unchanged.

Raw Text Scanning

The query scanner does not parse URLs into components. It finds every ? in the evidence text and then consumes name=value segments delimited by &. Token boundaries are whitespace characters and common URL-context delimiters (", ', `, <, >). A # character ends the current query segment and causes the scanner to advance to the end of the URL fragment.
Parameter names are matched against the exact raw text between the ? (or &) and the =. Percent-encoded parameter names are not supported. A parameter written as %61ccess_token=... will not match access_token.

Overlap Protection

The query scanner is evaluated after Authorization, Proxy-Authorization, Cookie, Sensitive Header, and Form findings have already been collected. If a query parameter value span overlaps with any existing finding, the query finding is skipped rather than double-redacted.
Authorization: Bearer synthetic-bearer-token?access_token=synthetic-token
In the above example, if access_token=synthetic-token falls within the span of an authorization.bearer finding, the query.secret finding is suppressed. The broader Authorization finding takes priority. Additionally, folded Proxy-Authorization header spans are registered as protected regions — query findings that overlap those spans are also skipped.

Idempotence

If a matched query parameter value is already exactly <REDACTED:query.secret>, no finding is produced.

Build docs developers (and LLMs) love