πŸ™ˆ Security

Log Masker & Sensitive Data Anonymizer

Paste logs or text to automatically detect and redact sensitive data β€” emails, IP addresses, API keys, tokens, passwords, credit cards, phone numbers and custom regex patterns. Everything runs in your browser; nothing is sent anywhere.

🎭 Masking Style
πŸ” Detection Rules
βž• Custom Pattern
πŸ“‹ Input Logs
Privacy first: All masking happens entirely in JavaScript in your browser. Sensitive data never leaves your device. Useful before sharing logs with colleagues, submitting bug reports, or storing in ticketing systems.
πŸ“– How to Use This Tool
β–Ό
1
Paste logs containing sensitive data
2
Toggle detection rules (emails, IPs, API keys, etc.)
3
Choose masking style: [REDACTED], ***masked***, etc.
4
Copy the safe output for sharing
πŸ“ Examples
Mask log
Input: [email protected] from 192.168.1.1
Output: [REDACTED_EMAIL] from [REDACTED_IPV4]

Log Masker Overview

A log masker (also called a log sanitizer or PII redactor) automatically detects and replaces sensitive data in log output with safe placeholder values, making the logs safe to share, store in external systems, or include in bug reports. Sensitive data such as email addresses, API keys, credit card numbers, passwords, and JWT tokens routinely end up in application logs β€” often unintentionally β€” creating significant privacy and security risks when those logs are forwarded to third-party log aggregation services, shared with support teams, or retained beyond their necessary lifecycle. The tool applies a library of pre-built regular expressions β€” each tuned to match a specific type of sensitive data β€” to your input text using JavaScript's String.prototype.replace() with global flag matching.

Step-by-Step Example

Suppose you're about to attach a log excerpt to a vendor support ticket. First, paste the raw log block into the input panel β€” including any lines containing customer emails, IP addresses, or a stack trace with an embedded auth header. Second, choose a masking style: for a support ticket where the vendor needs to know what type of data was present without seeing the actual value, the labelled placeholder style ([REDACTED_EMAIL]) is the right choice over a plain asterisk mask. Third, run the masking pass and scan the output for any values that weren't caught β€” a custom internal identifier format, for instance, won't match the built-in patterns and needs a custom regex added before the log is safe to share. Fourth, paste the masked output into the ticket, confident that the original log data never left your browser during the process.

Why DevOps Teams Use This

GDPR, HIPAA, PCI DSS, and most modern data privacy regulations impose strict requirements on how personal data in logs must be handled. Masking logs before export or analysis is one of the most practical ways to reduce compliance risk without having to instrument every single log call in your codebase. Common workflows include sanitizing log excerpts before sharing them with vendors or in GitHub issues, testing masking rules before enabling a live SIEM or log aggregation pipeline, debugging in privacy-sensitive healthcare or fintech environments without granting broad PII access, and iterating on custom regex patterns against real log samples before deploying them to a production log processor.

Common Mistakes & Troubleshooting

Frequently Asked Questions

What types of sensitive data does this tool detect?

The tool detects and masks a comprehensive set of PII and secret data types including email addresses, IPv4 and IPv6 addresses, JWT tokens (the eyJ... format), Bearer tokens in HTTP headers, generic API keys matching common patterns (api_key=, api_token=, access_token=), AWS access key IDs (AKIA...), AWS secret access keys, credit card numbers (Visa, Mastercard, Amex, Diners), US Social Security Numbers, phone numbers in common formats, private key PEM blocks, URLs containing embedded credentials (user:password@host), MAC addresses, and high-entropy hex strings of 32 or more characters. You can also define custom regex patterns to catch application-specific secrets.

Is my log data sent to a server?

No. All masking happens entirely in your browser using JavaScript regular expressions β€” no network request is made when you paste logs or click to mask. Your log data never leaves your device, which makes this tool safe to use with production logs that contain real customer data or internal secrets. You can verify this by opening your browser's developer tools Network tab and observing that no outbound requests are made during masking operations. This client-side design is an intentional security decision: sending log data to a server for processing would itself create the type of data exposure the tool is meant to prevent.

What masking styles are available and when should I use each?

Four masking styles are available. [REDACTED_TYPE] replaces each match with a labelled placeholder (e.g. [REDACTED_EMAIL]), preserving information about what type of data was present β€” best for audit logs and compliance documentation. ***masked*** produces a compact, visually obvious redaction marker suitable for human-reviewed log excerpts. sha256(value) produces a deterministic hash token derived from the original value: the same secret produces the same hash every time, enabling you to correlate occurrences of the same value across multiple log lines without revealing the underlying data β€” useful for analytics and debugging. Partial masking preserves the first and last characters while replacing the middle with asterisks (e.g. jo***@example.com), mimicking how payment terminals display card numbers, which aids debugging while reducing exposure.