Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer maintains a fixed list of well-known API key and authentication header names. When a physical line in the evidence text begins with one of these header names followed by a : separator and a non-empty value, the value is replaced with the header.secret marker. Matching is case-insensitive on the header name and operates line-by-line on raw text, with no HTTP message parsing.

Rule ID and Marker

Rule IDMarker
header.secret<REDACTED:header.secret>

Sensitive Header Names

The following header names trigger header.secret redaction (case-insensitive): x-api-key, api-key, apikey, x-apikey, api_key, x-api_key, x-auth-token, auth-token, x-access-token, access-token, x-session-token, session-token, x-id-token, id-token, x-refresh-token, refresh-token, x-csrf-token, csrf-token, x-xsrf-token, xsrf-token, x-csrftoken, csrftoken, x-xsrftoken, x-csrf, csrf, x-amz-security-token, x-amz-credential, x-amz-signature, x-goog-api-key, x-goog-signature, x-ms-token-aad-access-token, x-secret, x-client-secret, client-secret

Before/After Examples

X-API-Key: synthetic-api-key
X-Auth-Token: synthetic-auth-token
X-API-Key: <REDACTED:header.secret>
X-Auth-Token: <REDACTED:header.secret>
Additional examples for AWS and Google credential headers:
X-Amz-Security-Token: synthetic-amz-security-token
X-Goog-Api-Key: synthetic-goog-api-key
X-Client-Secret: synthetic-client-secret
X-Amz-Security-Token: <REDACTED:header.secret>
X-Goog-Api-Key: <REDACTED:header.secret>
X-Client-Secret: <REDACTED:header.secret>

Idempotence

If a matched header’s trimmed value is already exactly <REDACTED:header.secret>, no finding is produced and the line is left unchanged.

Exact Line-Start Matching

The header name must appear at the very start of a physical line. Optional horizontal whitespace is permitted between the header name and :, and between : and the value. The matching is case-insensitive — x-api-key, X-API-Key, and X-Api-Key all match the same entry.
Folded headers — where the next physical line starts with a space or tab — are not supported. Folded sensitive headers are left unchanged.

Explicitly Excluded Headers

The following headers are excluded from header.secret matching because they are handled by their own dedicated rule families:
HeaderHandled By
AuthorizationAuthorization rules
CookieCookie rules
Set-CookieOut of scope
Proxy-AuthorizationProxy-Auth rules
Custom or non-standard header names not present in the fixed list are not redacted by header.secret. The list is fixed at build time and is not configurable.

Build docs developers (and LLMs) love