Skip to content

Secret redaction

Recordings get committed to git, so secrets are stripped before anything is written to disk. Redaction is on by default; the proxy replaces the values of these request/response headers with [REDACTED]:

  • Authorization
  • Cookie
  • Set-Cookie

This is safe: replay matching ignores these headers, so redaction never breaks playback. It applies to .mock.json recordings, WebSocket recordings, and .har files. To turn redaction off, pass --no-redact on the CLI or set redaction: false in the config.

When only some cookies are sensitive, allow-list the harmless ones by name (for example a theme or A/B-test cookie). Allow-listed cookies keep their values inside Cookie/Set-Cookie; every other cookie is still redacted.

To keep the login flow and credentials out of recordings entirely, run authentication in a Playwright setup project with the proxy in transparent mode, persist storageState to a gitignored auth-state.json, and reuse it in your tests. Recorded requests then carry only the (redacted) session headers, never the login.

See the authenticated app example for a working setup against a real auth provider.

The default headers always apply (while redaction is on); you can add to them.

  • --no-redact — disable secret redaction (on by default).
  • --redact — enable secret redaction; only needed to re-enable when the config sets redaction: false.
  • --redact-headers <names> — comma-separated extra header names to redact (merged with the defaults).
  • --redact-body <patterns> — comma-separated regex patterns to redact from request/response bodies.
  • --allow-headers <names> — comma-separated header names to exempt from redaction (for example set-cookie).
  • --allow-cookies <names> — comma-separated cookie names to keep unredacted inside Cookie/Set-Cookie.
Terminal window
# Redaction is already on; also redact an API-key header and "sk_live_..." tokens, keep the theme cookie
test-proxy-recorder http://localhost:8000 \
--redact-headers x-api-key \
--redact-body "sk_live_[a-zA-Z0-9]+" \
--allow-cookies theme,locale

When constructing ProxyServer directly:

import { ProxyServer } from 'test-proxy-recorder';
// Passing this object enables redaction; pass `false` (or nothing) to keep it off.
const proxy = new ProxyServer('http://localhost:3000', './recordings', undefined, {
headers: ['x-api-key', 'x-auth'], // extra headers, merged with the defaults
bodyPatterns: [/sk_live_[a-z0-9]+/i], // regexes replaced in request/response bodies
allowHeaders: ['set-cookie'], // never redact these headers
allowCookies: ['theme', 'locale'], // keep these cookies inside Cookie/Set-Cookie
placeholder: '[REDACTED]', // default
});

redactSession(session, config) is also exported if you want to redact existing recordings yourself.