Evidence Sanitizer maintains a fixed list of well-known API key and authentication header names. When a physical line in the evidence text begins with one of these header names followed by aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
: separator and a non-empty value, the value is replaced with the header.secret marker. Matching is case-insensitive on the header name and operates line-by-line on raw text, with no HTTP message parsing.
Rule ID and Marker
| Rule ID | Marker |
|---|---|
header.secret | <REDACTED:header.secret> |
Sensitive Header Names
The following header names triggerheader.secret redaction (case-insensitive):
x-api-key, api-key, apikey, x-apikey, api_key, x-api_key, x-auth-token, auth-token, x-access-token, access-token, x-session-token, session-token, x-id-token, id-token, x-refresh-token, refresh-token, x-csrf-token, csrf-token, x-xsrf-token, xsrf-token, x-csrftoken, csrftoken, x-xsrftoken, x-csrf, csrf, x-amz-security-token, x-amz-credential, x-amz-signature, x-goog-api-key, x-goog-signature, x-ms-token-aad-access-token, x-secret, x-client-secret, client-secret
Before/After Examples
Idempotence
If a matched header’s trimmed value is already exactly<REDACTED:header.secret>, no finding is produced and the line is left unchanged.
Exact Line-Start Matching
The header name must appear at the very start of a physical line. Optional horizontal whitespace is permitted between the header name and:, and between : and the value. The matching is case-insensitive — x-api-key, X-API-Key, and X-Api-Key all match the same entry.
Folded headers — where the next physical line starts with a space or tab — are not supported. Folded sensitive headers are left unchanged.
Explicitly Excluded Headers
The following headers are excluded fromheader.secret matching because they are handled by their own dedicated rule families:
| Header | Handled By |
|---|---|
Authorization | Authorization rules |
Cookie | Cookie rules |
Set-Cookie | Out of scope |
Proxy-Authorization | Proxy-Auth rules |