Hey, everyone! I was troubleshooting an issue with a SaaS provider today and they asked me to send a HAR file. After exporting it from Chrome, I searched for my Auth Bearer token and found it there, in plain text, along with some HttpOnly cookies I didn't want to share. I ended up spending 20 minutes manually removing lines in VS Code. I'm wondering, is there a tool that can do this locally, like a WASM solution? I noticed some online converters, but I'm hesitant to paste my HAR files into a random server. If not, I'm thinking about creating a small open-source tool called 'HarGuard'. Would anyone else find that useful?
3 Answers
Have you thought about logging out before sending the HAR file? That way, your token would be invalidated and could prevent any misuse.
From my experience, most support teams appreciate when you take the time to scrub your files, but they likely won't make extra work for themselves unless the issue is tied directly to authentication. Generally, support reps are trusted to keep your info safe; they’re usually more focused on resolving issues quickly than looking for sensitive data to misuse. As a best practice, though, it's always good to be cautious with what you share, especially since HAR files can capture more information than you realize. It's wise to think about potential risks and try to minimize what you send them.
Technically, the HAR file specification doesn't require you to scrub sensitive data before sending it. If you're using Google Dev Tools to export your HAR, be aware that it includes the version ‘with sensitive data’ by default, which is exactly where tokens and cookies can leak. It happens often, so I usually follow a strict protocol: I either sanitize the file or refuse to send it if it has sensitive data.
That makes total sense! What’s your usual process for redacting? Do you have a workflow or tool that helps you out, maybe something that lets you whitelist specific parts and shows a diff?
Fair points — I’m not assuming support is malicious. My concerns really revolve around *process + least-privilege*: HARs often contain cookies/headers you didn’t intend to share, and once it’s sent, you lose control of it. How do you manage this in practice? Any recommended tools or workflows for quickly redacting sensitive info while keeping HARs useful for debugging?