Sanitizing HTTP Traces

Problem statement

For troubleshooting purposes, Okta Support may request an HTTP trace file (e.g., Chrome’s .HAR export or Fiddler) to see the authentication flow. The HTTP trace will record all details of the requests and responses. This includes the data exchanged, the server response, and, if present in the authentication request, passwords, session tokens, cookies, and other confidential information.

For security reasons, sensitive information such as API keys, secrets, cookie values, or passwords should be redacted.

There is a HAR file sanitizer built into case file uploads that attempts to redact all sensitive information (API keys, secrets, cookie values, or passwords) in the file. When HAR files are uploaded to a support Case, automation is triggered that redacts the HAR file at the customer side before the file is actually uploaded to the Case. This is the name of the process that details how to upload a HAR file to a case How to Sanitize a HTTP Trace File Automatically.

NOTE: If you have a HAR file upload it to a support Case for the file to be auto redacted. Note that Fiddler traces can be exported to HTTP Archive v1.1 or v1.2.

NOTE: There’s no attempt to remove user information as part of the sanitization process. We recommend that you use a test user account when capturing the .HAR file.

This document calls out what is sanitized, what is not sanitized, what may be missed by the automatic sanitization, and when you may need to make manual redactions. Lastly, there are examples of how to make manual redactions.


Procedure: File Upload Sanitizer

Using this process How to Sanitize a HTTP Trace File Automatically triggers the File Upload Sanitizer

What is sanitized during file upload?

  • All Cookies are redacted
    • Replaced with the first characters of a hash.
    • A few internal-use cookies have a different redaction strategy to allow support to troubleshoot.
  • The signature from security tokens (ID tokens, access tokens, SAML responses) is redacted.
  • Some field values are removed, based on a list of commonly-used sensitive field names.
  • Many response types such as images, fonts, javascript and CSS have their content removed.

What is not sanitized during file upload?

  • All claims in JWT tokens and attributes in SAML assertions are left intact to aid in troubleshooting authentication flows.

What may be missed during file upload?

  • if you enter a password while capturing the HTTP trace check that the password was redacted by:
    • Downloading the sanitized HAR file
    • Open it with a text editor and search for the password string that you entered.
    • If you don’t find the password, the sanitized field is okay to submit.
    • If you find it:
      • Open the original HAR file, replace the password with “[redacted]”, save it, and re-attach it to sanitize it.

When should I sanitize the HTTP Trace file Manually?

In these situations, consider manually redacting the HTTP Trace.

  • The file isn’t a HAR file.
  • Password field with an uncommon name.
  • Some vendor specific fields with uncommon names

NOTE: If there is any concern about sensitive information that the file upload sanitizer may miss, consider manually redacting the file.

NOTE: HTTP Traces other than HAR will need to be manually redacted.

Related References

1 Like