Secret ManagementSecret Masking

Bruno Secret Masking in Reports

Overview

Bruno automatically masks sensitive information in reports to protect your secrets from being exposed. This documentation explains what gets masked.

What gets masked?

1. Sensitive Headers (Always Masked)

Bruno automatically masks these header names regardless of their values:

Header NameExampleMasked Result
AuthorizationBearer eyJhbGciOiJIUzI1NiIs...Bearer ********
X-API-Keysk-1234567890abcdef********
Cookiesession=abc123; auth=xyz789********
Set-Cookiesession=abc123; HttpOnly********
X-Auth-Tokentoken123456********
Client-Secretsecret_abc123********

Complete list of sensitive headers:

  • authorization, proxy-authorization
  • x-api-key, x-auth-token, x-csrf-token, x-xsrf-token
  • cookie, set-cookie
  • api-key, x-access-token
  • session-token, x-session-token, x-refresh-token
  • x-id-token, x-jwt-assertion
  • client-secret, secret-key
  • x-wsse, www-authenticate

3. Secret Environment Variables

Bruno masks all values of environment variables marked as secret in the UI:

secret masking

  • db_pass variable: Marked as secret (blue checkmark in Secret column), so its value is masked as **** in the interface
  • db_user variable: Not marked as secret (unchecked Secret column), so the value will be displayed in plain text

Result: Every instance where db_pass is referenced appears masked in the report.

4. External Secrets

Bruno masks secrets fetched from external providers:

  • HashiCorp Vault secrets
  • AWS Secrets Manager values
  • Azure Key Vault secrets

In .env Files

All values in .env files are treated as secrets:

API_KEY=sk-1234567890abcdef
CLIENT_SECRET=secret_abc123
DATABASE_URL=postgresql://user:pass@host:5432/db

Where Masking Appears

Bruno masks secrets in:

  • HTML reports
  • JSON reports
  • JUnit reports