How to Sanitize HAR Files Before Sharing Browser Traces

Quick answer

Use this guide before sending a HAR file to support, a vendor, a teammate, or an issue tracker. HAR files can contain cookies, auth headers, URLs, and request data copied directly from the browser.

Who this is for

• Developers debugging browser network issues
• Support teams requesting HAR exports
• QA engineers attaching browser traces
• Security-conscious teams reviewing traffic before sharing

What to remove or avoid

• Authorization headers, cookies, session IDs, and CSRF tokens
• Private request URLs, customer IDs, emails, and query values
• Request or response bodies that include credentials or personal data

What to keep visible

• Request method and timing context
• Safe endpoint shape when the exact private URL is not needed
• Status codes, error responses, and high-level request sequence
• Clear placeholders showing what was removed

Useful controls in the tool

• Upload the .har file directly into the browser workspace.
• Review headers, query params, and request body before sharing.
• Open fullscreen when the trace is long.
• Download the sanitized HAR text only after checking the result.

Step-by-step

1. 1Export the HAR from your browser.
2. 2Upload or paste it into the sanitizer.
3. 3Review the cleaned headers, URLs, cookies, and request data.
4. 4Use fullscreen for large traces.
5. 5Download or copy the sanitized version for support.

Example

Before:
Authorization: Bearer eyJ...
Cookie: session=abc123
url=https://api.example.com/customer/123

After:
Authorization: Bearer [JWT]
Cookie: [COOKIES]
url=[URL]

What to do after review

• Invalidate real sessions or cookies if they were exposed.
• Send only the sanitized HAR to third parties.
• Keep status codes and request order visible for troubleshooting.

Tip: A HAR file is a browser recording, so treat it like sensitive production data until it is cleaned.