> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usebruno.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Bruno Secret Masking in Reports

## Overview

Bruno automatically masks sensitive information in reports to protect your secrets from being exposed. This documentation explains what gets masked.

## What gets masked?

### 1. Sensitive Headers (Always Masked)

Bruno automatically masks these header names regardless of their values:

| Header Name     | Example                          | Masked Result     |
| --------------- | -------------------------------- | ----------------- |
| `Authorization` | `Bearer eyJhbGciOiJIUzI1NiIs...` | `Bearer ********` |
| `X-API-Key`     | `sk-1234567890abcdef`            | `********`        |
| `Cookie`        | `session=abc123; auth=xyz789`    | `********`        |
| `Set-Cookie`    | `session=abc123; HttpOnly`       | `********`        |
| `X-Auth-Token`  | `token123456`                    | `********`        |
| `Client-Secret` | `secret_abc123`                  | `********`        |

**Complete list of sensitive headers:**

* `authorization`, `proxy-authorization`
* `x-api-key`, `x-auth-token`, `x-csrf-token`, `x-xsrf-token`
* `cookie`, `set-cookie`
* `api-key`, `x-access-token`
* `session-token`, `x-session-token`, `x-refresh-token`
* `x-id-token`, `x-jwt-assertion`
* `client-secret`, `secret-key`
* `x-wsse`, `www-authenticate`

### 3. Secret Environment Variables

Bruno masks all values of environment variables marked as secret in the UI:

<img src="https://mintcdn.com/bruno-a6972042/3EAm6Zc0s_0zNYSf/v2/images/screenshots/secret-masking/secret-masking.png?fit=max&auto=format&n=3EAm6Zc0s_0zNYSf&q=85&s=2483ccb69b93722597751dbee06927f7" alt="secret masking" width="1690" height="552" data-path="v2/images/screenshots/secret-masking/secret-masking.png" />

* **`db_pass` variable**: Marked as secret (blue checkmark in Secret column), so its value is masked as `****` in the interface
* **`db_user` variable**: Not marked as secret (unchecked Secret column), so the value will be displayed in plain text

**Result:** Every instance where `db_pass` is referenced appears masked in the report.

### 4. External Secrets

Bruno masks secrets fetched from external providers:

* **HashiCorp Vault** secrets
* **AWS Secrets Manager** values
* **Azure Key Vault** secrets

### In .env Files

All values in `.env` files are treated as secrets:

```env theme={null}
API_KEY=sk-1234567890abcdef
CLIENT_SECRET=secret_abc123
DATABASE_URL=postgresql://user:pass@host:5432/db
```

## Where Masking Appears

Bruno masks secrets in:

* **HTML reports**
* **JSON reports**
* **JUnit reports**
