How to Manually Redact Sensitive Information
This knowledge article details the situations where manually redacting/sanitizing an HTTP trace should be considered.
There is a HAR file sanitizer built into case file uploads that attempts to redact all sensitive information (API keys, secrets, cookie values, or passwords) in the file. When HAR files are uploaded to a support Case, automation is triggered that redacts the HAR file on the customer side before the file is actually uploaded to the Case. This is the name of the process that details how to upload a HAR file to a case How to Sanitize a HTTP Trace File Automatically.
NOTE: Consider manually redacting/sanitizing a file in these situations:
- The file is not a HAR file.
- Password field with an uncommon name.
- The capture might contain vendor-specific fields with uncommon names.
- HAR file
HTTP Trace files are typically saved as plain text.
Use these steps to manually redact/sanitize a text HTTP Trace.
- Open the file with a text editor.
- Examine its contents thoroughly.
- Replace all the values that contain PII or confidential information with “REDACTED”.
For reference, a text editor can be used to search for the following keywords.
NOTE: This list is not exhaustive, and there may be other pertinent terms to consider. Furthermore, a specific keyword or value might appear multiple times within the file, so ensure to review all instances.
Ensure the search is case-insensitive; for instance, 'Authorization' should match 'authorization', 'AUTHORIZATION', and any other variations in capitalization.
- state
- shdf
- usg
- password
- code
- code_verifier
- client_secret
- token
- Access_token - (if the token is JWT, redact the signature, otherwise redact the whole token string.)
- refresh_token
- authenticity_token
- Id_token - (Redact the signature)
- SAMLResponse - (Redact the signature)
- SAML Request - (Redact the signature)
- appID
- challenge
- facetID
- assertion
- fcParams
- serverData
- Authorization
- The Authorization header usually carries authentication information.
- The first word indicates the authorization scheme, and then come the parameters.
- If the first word says "Bearer" and has a JWT token after it, redact the signature of the token. If the token is not a JWT token, redact the whole token string.
- If the authorization scheme is not “Bearer", redact everything after the first word.
- auth
- key
- pem
- rsa
- dsa
- ecdsa
- signature
- passkey
NOTE: If utilizing open-source or other commercial tools for HAR file sanitization, it is essential to exercise diligence in selecting all relevant secret types. It is important to note that these tools cannot offer an absolute guarantee of complete sanitization of HAR files or any other HTTP trace files for Okta products.
Despite selecting all available secret types through the tool’s interface, it is possible for these tools to overlook sensitive information for various reasons, including but not limited to:
- Limitations in recognizing specific MIME types.
- Focus on headers and potentially missing sensitive data located within the request body.
- Potential omission due to keyword discrepancies.
How to Share a Manually Redacted HTTP Trace with Okta
- Use the support portal and upload the attachment to an existing Case or new Case.
- For Auth0 Products: https://support.auth0.com/
- If the upload fails, attempt to take a new trace or manually redact the trace.
- Disclaimer: While Okta will attempt to identify sensitive data, please acknowledge that it is your responsibility, and not Okta's, to identify sensitive data in HAR files that you want to be redacted.
- NOTE: Do not send emails with HTTP Traces attached, as this does not sanitize the trace.
Examples of Manual Redaction
Sanitizing a HAR file
After generating the .har file, open it in any text editor and examine the content thoroughly to find sensitive information (Use the provided sample list of keywords as a guide).
For each value, replace it with “REDACTED. Examples of what common secrets look like have been provided below.
Sample Password Content
],
"headersSize": 8370,
"bodySize": 106,
"postData": {
"mimeType": "application/json",
"text": "{\"credentials\":{\"passcode\":\"REDACTED\"},\"stateHandle\":\"REDACTED\"}"
}
Sample Cookie Content
"cookies": [
{
"name": "your-token-here",
"value": "REDACTED",
"path": "path/to/your/cookie",
"domain": "your.domain.com",
"expires": "1969-12-31T23:59:59.000Z",
"httpOnly": true,
"secure": true,
"sameSite": "Lax"
},
NOTE: Note that cookies will also be duplicated in either the "cookies" header (request) or in the "set-cookie" headers (response).
Sample Token Content
"postData": {
"mimeType": "application/ion+json; okta-version=1.0.0",
"text": "{\"stateToken\":\"REDACTED\"}"
}
},
Go through the HAR file once again to make sure everything is redacted properly. Submit the sanitized .har file (without secrets) to Okta Support.
Sanitizing SAMLTracer Output
After getting the SAML requests and responses from SAMLTracer, go through the entire exchange, and redact all PII and confidential values.
For example, in the example below, we have redacted key values from an assertion in the SAML response.
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id304067580046759701759203951"
IssueInstant="2017-02-02T03:13:05.114Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.orgname.okta.com</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#id304067580046759701759203951">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>REDACTED</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVVfq86GMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldnN1cHBvcnQxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTYwNjE3MTg0MTIyWhcNMjYwNjE3MTg0MjIyWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXZzdXBwb3J0MRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qp10VJvKjqIEk30bv0WPw6XhZtTm19XfLrwyHRG1aYQshkcIolS9Vvp5SdL6dDEctdf5dznrQTlr
8Q+LUIC6JGnVzA/qgC1UpsXYdfaod0c35GM8HDsHni0MNUnHt/2MqDW6PkYoIdjniDp21wOCiORE
FGuC1kUQQJY2yQ8bQJVEKCEyIUPGXLMcQlbB0vAkbGeqz4HCZBX/n7wr/50MMQz8YOLSkx/0Ojls
sGEA6KAbdFutrvSUKIUeZc4XFfySm9KJ1Vi83PpacOfWuKyktjPR0mC6wK87PuN32boa4nQ2+BMf
v/qgx4e5RDnTYk2+iPcwN6nKxJfS66kKhpfMdwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA8R607
iL9Sx9QKo31zG2xG24drYxaWta6G5XKcROkFk2ZVfRAhS9rx1WFXuCV5e/ys0z7jILWKisTkjegY
uubqy6awBbjDRxnUct0OdZU4siHWYjvL+SYOT2Pk8IwlD4HGNsee6WmURvfpL2Yib9Xc85qVp1W9
t7GU2GZVnOyU7a/JfAgDw79z5dH1BQsCW+nvgeO5VgFXVOSf7dBOB2PlwG5DlH5MgNa67eH3Wr9B
RKvwyyTfqfq9pgSmB9xNVJIeVZbbZGTlNGqJti24E0AiIPggtxg5NJ+HHnEQ5RxdSsR4fbMz9i0K
/bXt6hPgGu7xYRSv1RfvKcR1NjYk3nnD</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_2b16caecb21804d0271c7b45734978a31b122c0b9a"
NotOnOrAfter="2017-02-02T03:18:05.114Z"
Recipient="http://localhost:8888/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/example-okta-com"
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-02-02T03:08:05.114Z"
NotOnOrAfter="2017-02-02T03:18:05.114Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://localhost:8888/simplesamlphp/www/module.php/saml/sp/metadata.php/example-okta-com</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2017-02-02T03:13:05.114Z"
SessionIndex="_2b16caecb21804d0271c7b45734978a31b122c0b9a"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>’
