DevTools Data Filtering
When Crosscheck captures DevTools context alongside your screenshots, recordings, or replays, it automatically filters sensitive data from network requests. This page explains how filtering works and what options you have to control it.
Automatic Header Filtering
Crosscheck automatically strips sensitive headers from captured network requests before uploading. The following headers are filtered by default:
| Header | Why It Is Filtered |
|---|---|
| Authorization | Contains bearer tokens, API keys, or basic auth credentials |
| Cookie | May contain session identifiers and authentication material |
| Set-Cookie | May contain session tokens set by the server |
| X-API-Key | Application-specific API keys |
| X-Auth-Token | Custom authentication tokens |
These headers are replaced with a placeholder value in the captured data so you can see that the header was present without exposing the actual value.
Automatic Content Redaction
Beyond header filtering, Crosscheck automatically detects and redacts sensitive data patterns in request and response bodies before uploading. The following types of data are automatically replaced with redacted placeholders:
| Data Type | Examples |
|---|---|
| Access & refresh tokens | access_token, refresh_token, id_token |
| Passwords & credentials | Password fields, secret values |
| API keys | api_key, api_secret, client_secret |
| Session identifiers | Session IDs, cookie values |
| Payment information | Credit card numbers |
| Personal identifiers | Social Security Numbers (SSN) |
| Authorization values | Authorization header values, bearer tokens |
Request and Response Body Capture
By default, Crosscheck captures request and response bodies for network requests to help developers understand API interactions. Sensitive data is automatically redacted as described above. You can toggle DevTools recording on or off entirely from the extension settings.
Console Log Filtering
Console logs are captured as-is from the browser console. If your application logs sensitive data to the console (which is generally considered a bad practice), those logs will appear in the captured DevTools data. Crosscheck does not automatically redact console output.
DevTools Recording Toggle
The extension settings include a DevTools Recording toggle that controls whether developer context (console logs, network requests, and user actions) is captured alongside your screenshots and recordings. When disabled, captures will only include the visual evidence without any DevTools data.