> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usebruno.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Masking in Reports

## Overview

Bruno automatically masks sensitive information in reports to protect your secrets from being exposed. This documentation explains what gets masked.

## What gets masked?

### 1. Sensitive Headers (Always Masked)

Bruno automatically masks these header names regardless of their values:

| Header Name     | Example                          | Masked Result     |
| --------------- | -------------------------------- | ----------------- |
| `Authorization` | `Bearer eyJhbGciOiJIUzI1NiIs...` | `Bearer ********` |
| `X-API-Key`     | `sk-1234567890abcdef`            | `********`        |
| `Cookie`        | `session=abc123; auth=xyz789`    | `********`        |
| `Set-Cookie`    | `session=abc123; HttpOnly`       | `********`        |
| `X-Auth-Token`  | `token123456`                    | `********`        |
| `Client-Secret` | `secret_abc123`                  | `********`        |

**Complete list of sensitive headers:**

* `authorization`, `proxy-authorization`
* `x-api-key`, `x-auth-token`, `x-csrf-token`, `x-xsrf-token`
* `cookie`, `set-cookie`
* `api-key`, `x-access-token`
* `session-token`, `x-session-token`, `x-refresh-token`
* `x-id-token`, `x-jwt-assertion`
* `client-secret`, `secret-key`
* `x-wsse`, `www-authenticate`

### 2. Secret Environment Variables

Bruno masks all values of environment variables marked as secret in the UI:

<img src="https://mintcdn.com/bruno-a6972042/bKrHa_JvyAqCslj1/images/screenshots/secret-variables/secret-variables.webp?fit=max&auto=format&n=bKrHa_JvyAqCslj1&q=85&s=fc6029ee5b4ae6e588909f5a2e7e71c7" alt="secret variables" width="2468" height="872" data-path="images/screenshots/secret-variables/secret-variables.webp" />

* **`baseUrl` variable**: Marked as secret (orange checkmark in Secret column), so its value is masked as `****` in the interface
* **`JWT_TOKEN` variable**: Not marked as secret (unchecked Secret column), so the value will be displayed in plain text coming from `.env` file.

**Result:** Every instance where `baseUrl` is referenced appears masked in the report.

### 3. External Secrets

Bruno masks secrets fetched from external providers:

* **HashiCorp Vault** secrets
* **AWS Secrets Manager** values
* **Azure Key Vault** secrets

### In .env Files

All values in `.env` files are treated as secrets:

```env theme={null}
API_KEY=sk-1234567890abcdef
CLIENT_SECRET=secret_abc123
DATABASE_URL=postgresql://user:pass@host:5432/db
```

## Where Masking Appears

Bruno masks secrets in:

* **HTML reports**
* **JSON reports**
* **JUnit reports**