Sanitize HTTP Traces
For troubleshooting purposes, Auth0 Support may request an HTTP trace file (e.g., Chrome’s .har export, SAMLTracer, Fiddler, or ZAP outputs) to see the authentication flow. The HTTP trace will record all details of the requests and responses. This includes the data exchanged, the server response, and, if present in the authentication request, passwords, session tokens, cookies, and other confidential information.
For security reasons, you must remove all Personal Identifiable Information (PII) and replace authentication details, such as API keys, secrets, cookie values, or passwords, with placeholder values in the HTTP trace file before sending it to Auth0 Support.
When should I sanitize the HTTP Trace file?
Regardless of the product, exchange, or flow, you should always sanitize the HTTP trace files before sending them to Auth0 Support. This applies universally to all Auth0 offerings, including any and all products and services.
What should be removed?
Any confidential information including, but not limited to, cookies, tokens, secrets, verification codes, ID Tokens, and any form of PII in compliance with laws and regulations.
How to remove PII and confidential information
No matter which tool you use, HTTP Trace files are typically saved as plain text.
Open the file with a text editor.
Examine its contents thoroughly.
Replace all the values that contain PII or confidential information with “REDACTED”.
For reference, you can use your text editor to search for the keywords listed below.
This list is not exhaustive, and there may be other pertinent terms to consider. Additionally, specific keywords or values may appear multiple times within a file, so ensure you review all instances.
Ensure your search is case-insensitive; for instance, "Authorization" should match "authorization", "AUTHORIZATION", and any other variations in capitalization.
stateshdfusgpasswordemailcodecode_verifierclient_secretclient_idtokenaccess_tokenrefresh_tokenauthenticity_tokenid_tokenappIDchallengefacetIDassertionfcParamsserverDataAuthorizationauthBearerkeypemrsadsaecdsasignaturepasskey
If you choose to use a third-party or commercial tool to analyze or sanitize a HAR file, you should exercise caution when you select relevant secret types. These tools can't guarantee complete sanitization of HAR files or other HTTP trace files for the Auth0 product.
These tools could overlook sensitive information (such as PII) for various reasons, such as:
Limitations in recognizing MIME types
Focus on headers, potentially missing out on sensitive data in the request body
Potential omission based on keyword discrepancies
Examples
Sanitize a HAR file
After generating the .har file, open it in any text editor and examine the contents thoroughly to find PII and confidential information. You can use the provided sample list of keywords as a guide.
For each value, replace it with REDACTED. Examples of what common secrets look like have been provided below.
Example password content
],
"headersSize": 8370,
"bodySize": 106,
"postData": {
"mimeType": "application/json",
"text": "{\"credentials\":{\"passcode\":\"REDACTED\"},\"stateHandle\":\"REDACTED\"}"
}Was this helpful?
Example cookie content
"cookies": [
{
"name": "your-token-here",
"value": "REDACTED",
"path": "path/to/your/cookie",
"domain": "your.domain.com",
"expires": "1969-12-31T23:59:59.000Z",
"httpOnly": true,
"secure": true,
"sameSite": "Lax"
},Was this helpful?
Example token content
"postData": {
"mimeType": "application/ion+json; okta-version=1.0.0",
"text": "{\"stateToken\":\"REDACTED\"}"
}
},Was this helpful?
Go through the HAR file once again to make sure everything is redacted properly
Submit the sanitized .har file (without secrets) to Auth0 Support.
Sanitize SAMLTracer Output
After getting the SAML requests and responses from SAMLTracer, go through the entire exchange and redact all PII and confidential values. For example, in the example below, we have redacted key values from an assertion in the SAML response.
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id304067580046759701759203951"
IssueInstant="2017-02-02T03:13:05.114Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema""
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.orgname.okta.com</saml2:Issuer>;
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">;
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"" />
<ds:Reference URI="#id304067580046759701759203951">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">;
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#""
PrefixList="xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"" />
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>REDACTED</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVVfq86GMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldnN1cHBvcnQxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTYwNjE3MTg0MTIyWhcNMjYwNjE3MTg0MjIyWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXZzdXBwb3J0MRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qp10VJvKjqIEk30bv0WPw6XhZtTm19XfLrwyHRG1aYQshkcIolS9Vvp5SdL6dDEctdf5dznrQTlr
8Q+LUIC6JGnVzA/qgC1UpsXYdfaod0c35GM8HDsHni0MNUnHt/2MqDW6PkYoIdjniDp21wOCiORE
FGuC1kUQQJY2yQ8bQJVEKCEyIUPGXLMcQlbB0vAkbGeqz4HCZBX/n7wr/50MMQz8YOLSkx/0Ojls
sGEA6KAbdFutrvSUKIUeZc4XFfySm9KJ1Vi83PpacOfWuKyktjPR0mC6wK87PuN32boa4nQ2+BMf
v/qgx4e5RDnTYk2+iPcwN6nKxJfS66kKhpfMdwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA8R607
iL9Sx9QKo31zG2xG24drYxaWta6G5XKcROkFk2ZVfRAhS9rx1WFXuCV5e/ys0z7jILWKisTkjegY
uubqy6awBbjDRxnUct0OdZU4siHWYjvL+SYOT2Pk8IwlD4HGNsee6WmURvfpL2Yib9Xc85qVp1W9
t7GU2GZVnOyU7a/JfAgDw79z5dH1BQsCW+nvgeO5VgFXVOSf7dBOB2PlwG5DlH5MgNa67eH3Wr9B
RKvwyyTfqfq9pgSmB9xNVJIeVZbbZGTlNGqJti24E0AiIPggtxg5NJ+HHnEQ5RxdSsR4fbMz9i0K
/bXt6hPgGu7xYRSv1RfvKcR1NjYk3nnD</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_2b16caecb21804d0271c7b45734978a31b122c0b9a"
NotOnOrAfter="2017-02-02T03:18:05.114Z"
Recipient="http://localhost:8888/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/example-okta-com""
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-02-02T03:08:05.114Z"
NotOnOrAfter="2017-02-02T03:18:05.114Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://localhost:8888/simplesamlphp/www/module.php/saml/sp/metadata.php/example-okta-com</saml2:Audience>;
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2017-02-02T03:13:05.114Z"
SessionIndex="_2b16caecb21804d0271c7b45734978a31b122c0b9a"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema""
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance""
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema""
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance""
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema""
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance""
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>Was this helpful?