Evidence Sanitizer scans raw evidence text for URL query strings and replaces values of known sensitive parameter names with theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
query.secret marker. Scanning starts at every ? character found anywhere in the text — no URL parsing, no scheme validation, and no per-line restriction. Parameter names are matched case-insensitively against a fixed list. The scanner operates on the raw text as written; no percent-decoding or URL normalization is performed.
Rule ID and Marker
| Rule ID | Marker |
|---|---|
query.secret | <REDACTED:query.secret> |
Sensitive Query Parameter Names
The following parameter names triggerquery.secret redaction (case-insensitive):
access_token, auth_token, id_token, jwt, refresh_token, session, session_id, sid, token, api-key, api_key, apikey, client_secret, sig, signature, x-amz-credential, x-amz-security-token, x-amz-signature, x-goog-credential, x-goog-signature
Before/After Example
http_request_mixed, three query parameters fire in one request line:
theme is not in the sensitive parameter list and is left unchanged.
Raw Text Scanning
The query scanner does not parse URLs into components. It finds every? in the evidence text and then consumes name=value segments delimited by &. Token boundaries are whitespace characters and common URL-context delimiters (", ', `, <, >). A # character ends the current query segment and causes the scanner to advance to the end of the URL fragment.
Parameter names are matched against the exact raw text between the
? (or &) and the =. Percent-encoded parameter names are not supported. A parameter written as %61ccess_token=... will not match access_token.Overlap Protection
The query scanner is evaluated after Authorization, Proxy-Authorization, Cookie, Sensitive Header, and Form findings have already been collected. If a query parameter value span overlaps with any existing finding, the query finding is skipped rather than double-redacted.access_token=synthetic-token falls within the span of an authorization.bearer finding, the query.secret finding is suppressed. The broader Authorization finding takes priority.
Additionally, folded Proxy-Authorization header spans are registered as protected regions — query findings that overlap those spans are also skipped.
Idempotence
If a matched query parameter value is already exactly<REDACTED:query.secret>, no finding is produced.