Log Masker & Sensitive Data Anonymizer
Paste logs or text to automatically detect and redact sensitive data β emails, IP addresses, API keys, tokens, passwords, credit cards, phone numbers and custom regex patterns. Everything runs in your browser; nothing is sent anywhere.
Log Masker Overview
A log masker (also called a log sanitizer or PII redactor) automatically detects and replaces sensitive data in log output with safe placeholder values, making the logs safe to share, store in external systems, or include in bug reports. Sensitive data such as email addresses, API keys, credit card numbers, passwords, and JWT tokens routinely end up in application logs β often unintentionally β creating significant privacy and security risks when those logs are forwarded to third-party log aggregation services, shared with support teams, or retained beyond their necessary lifecycle. The tool applies a library of pre-built regular expressions β each tuned to match a specific type of sensitive data β to your input text using JavaScript's String.prototype.replace() with global flag matching.
Step-by-Step Example
Suppose you're about to attach a log excerpt to a vendor support ticket. First, paste the raw log block into the input panel β including any lines containing customer emails, IP addresses, or a stack trace with an embedded auth header. Second, choose a masking style: for a support ticket where the vendor needs to know what type of data was present without seeing the actual value, the labelled placeholder style ([REDACTED_EMAIL]) is the right choice over a plain asterisk mask. Third, run the masking pass and scan the output for any values that weren't caught β a custom internal identifier format, for instance, won't match the built-in patterns and needs a custom regex added before the log is safe to share. Fourth, paste the masked output into the ticket, confident that the original log data never left your browser during the process.
Why DevOps Teams Use This
GDPR, HIPAA, PCI DSS, and most modern data privacy regulations impose strict requirements on how personal data in logs must be handled. Masking logs before export or analysis is one of the most practical ways to reduce compliance risk without having to instrument every single log call in your codebase. Common workflows include sanitizing log excerpts before sharing them with vendors or in GitHub issues, testing masking rules before enabling a live SIEM or log aggregation pipeline, debugging in privacy-sensitive healthcare or fintech environments without granting broad PII access, and iterating on custom regex patterns against real log samples before deploying them to a production log processor.
Common Mistakes & Troubleshooting
- Assuming the built-in patterns catch every secret format: Generic API key regexes match common conventions like
api_key=orAKIA..., but a proprietary internal token format (e.g. a custom UUID-prefixed session ID) will sail through unmasked unless you add a custom pattern for it β always do a manual scan of the masked output before sharing. - Masking structured logs as plain text and breaking the JSON: If your logs are JSON lines and a masking regex matches across a quoted string boundary, you can end up with malformed JSON in the output β when masking structured logs, test that the result still parses before piping it into a JSON-aware log viewer.
- Using asterisk masking when you need correlation: If you need to confirm whether the same user triggered multiple log lines without seeing their actual email, plain
***masked***destroys that signal β use the deterministic hash style instead so identical inputs always produce identical, comparable hash tokens. - Forgetting that masking is one-way: Once a value is replaced with a placeholder or hash, the original is gone from that copy of the log β always keep an unmasked copy in your access-controlled primary log store, and only mask the copy you intend to export or share externally.
Frequently Asked Questions
What types of sensitive data does this tool detect?
The tool detects and masks a comprehensive set of PII and secret data types including email addresses, IPv4 and IPv6 addresses, JWT tokens (the eyJ... format), Bearer tokens in HTTP headers, generic API keys matching common patterns (api_key=, api_token=, access_token=), AWS access key IDs (AKIA...), AWS secret access keys, credit card numbers (Visa, Mastercard, Amex, Diners), US Social Security Numbers, phone numbers in common formats, private key PEM blocks, URLs containing embedded credentials (user:password@host), MAC addresses, and high-entropy hex strings of 32 or more characters. You can also define custom regex patterns to catch application-specific secrets.
Is my log data sent to a server?
No. All masking happens entirely in your browser using JavaScript regular expressions β no network request is made when you paste logs or click to mask. Your log data never leaves your device, which makes this tool safe to use with production logs that contain real customer data or internal secrets. You can verify this by opening your browser's developer tools Network tab and observing that no outbound requests are made during masking operations. This client-side design is an intentional security decision: sending log data to a server for processing would itself create the type of data exposure the tool is meant to prevent.
What masking styles are available and when should I use each?
Four masking styles are available. [REDACTED_TYPE] replaces each match with a labelled placeholder (e.g. [REDACTED_EMAIL]), preserving information about what type of data was present β best for audit logs and compliance documentation. ***masked*** produces a compact, visually obvious redaction marker suitable for human-reviewed log excerpts. sha256(value) produces a deterministic hash token derived from the original value: the same secret produces the same hash every time, enabling you to correlate occurrences of the same value across multiple log lines without revealing the underlying data β useful for analytics and debugging. Partial masking preserves the first and last characters while replacing the middle with asterisks (e.g. jo***@example.com), mimicking how payment terminals display card numbers, which aids debugging while reducing exposure.