Secret redaction
Recordings get committed to git, so secrets are stripped before anything is written to disk. Redaction is on by default; the proxy replaces the values of these request/response headers with [REDACTED]:
AuthorizationCookieSet-Cookie
This is safe: replay matching ignores these headers, so redaction never breaks playback. It applies to .mock.json recordings, WebSocket recordings, and .har files. To turn redaction off, pass --no-redact on the CLI or set redaction: false in the config.
When only some cookies are sensitive, allow-list the harmless ones by name (for example a theme or A/B-test cookie). Allow-listed cookies keep their values inside Cookie/Set-Cookie; every other cookie is still redacted.
Recommended auth pattern
Section titled “Recommended auth pattern”To keep the login flow and credentials out of recordings entirely, run authentication in a Playwright setup project with the proxy in transparent mode, persist storageState to a gitignored auth-state.json, and reuse it in your tests. Recorded requests then carry only the (redacted) session headers, never the login.
See the authenticated app example for a working setup against a real auth provider.
Tweaking what gets redacted
Section titled “Tweaking what gets redacted”The default headers always apply (while redaction is on); you can add to them.
CLI flags
Section titled “CLI flags”--no-redact— disable secret redaction (on by default).--redact— enable secret redaction; only needed to re-enable when the config setsredaction: false.--redact-headers <names>— comma-separated extra header names to redact (merged with the defaults).--redact-body <patterns>— comma-separated regex patterns to redact from request/response bodies.--allow-headers <names>— comma-separated header names to exempt from redaction (for exampleset-cookie).--allow-cookies <names>— comma-separated cookie names to keep unredacted insideCookie/Set-Cookie.
# Redaction is already on; also redact an API-key header and "sk_live_..." tokens, keep the theme cookietest-proxy-recorder http://localhost:8000 \ --redact-headers x-api-key \ --redact-body "sk_live_[a-zA-Z0-9]+" \ --allow-cookies theme,localeProgrammatic
Section titled “Programmatic”When constructing ProxyServer directly:
import { ProxyServer } from 'test-proxy-recorder';
// Passing this object enables redaction; pass `false` (or nothing) to keep it off.const proxy = new ProxyServer('http://localhost:3000', './recordings', undefined, { headers: ['x-api-key', 'x-auth'], // extra headers, merged with the defaults bodyPatterns: [/sk_live_[a-z0-9]+/i], // regexes replaced in request/response bodies allowHeaders: ['set-cookie'], // never redact these headers allowCookies: ['theme', 'locale'], // keep these cookies inside Cookie/Set-Cookie placeholder: '[REDACTED]', // default});redactSession(session, config) is also exported if you want to redact existing recordings yourself.