Mask sensitive data like API keys, tokens, and passwords in text. Essential for logging and error messages to prevent credential exposure.
Code
Generalreturn text.replace(
/(?:api[_-]?key|secret|token|password|auth|bearer)\s*[=:]\s*['"]?(\S+?)['"]?(?=\s|$)/gi,
(match, secret) => {
const visible = secret.slice(-visibleChars);
return match.replace(secret, '***...' + visible);
}
);Parameters
Text containing secrets
Characters to keep visible at end
Why Redact Secrets?
Secrets accidentally logged can lead to:
- Data breaches — attackers search logs for credentials
- Compliance violations — PCI-DSS, HIPAA, GDPR require secret protection
- Lateral movement — one leaked key can compromise multiple systems
Common Secret Patterns
This snippet catches common patterns:
| Pattern | Example |
|---|---|
api_key=... | api_key=sk_live_abc123 |
API-KEY: ... | API-KEY: xyz789 |
password=... | password=secret123 |
token: ... | token: eyJhbG... |
auth=... | auth=bearer_token |
secret=... | secret=my_secret |
Extending the Pattern
Add more patterns for your specific needs:
// Add AWS, Stripe, GitHub patterns
/(?:api[_-]?key|secret|token|password|auth|bearer|aws[_-]?access|stripe[_-]?key|gh[op]_)/gi
Best Practices
Keep some characters visible
Showing the last 4 characters helps with debugging:
sk_live_***...x789— You can identify which key was used************— No way to tell keys apart
Redact before logging, not after
// GOOD: Redact first
logger.info(redactSecrets(requestBody));
// BAD: Secret already in log buffer
logger.info(requestBody);
redactFromLogs(); // Too late!
Consider structured logging
Instead of string replacement, use structured logging with known secret fields:
const sanitized = {
...request,
headers: {
...request.headers,
authorization: '[REDACTED]'
}
};
What This Doesn't Catch
- Base64-encoded secrets without keywords
- Secrets in URLs:
https://user:pass@host - Custom header names:
X-Custom-Auth: secret - Secrets in JSON without labeled keys
More JavaScript Snippets
Capitalize First Letter
Capitalize the first letter of a string while keeping the rest unchanged.
Center String
Center a string within a given width by padding with spaces.
Check if Palindrome
Check if a string is a palindrome by comparing characters from both ends.
Compare Strings (Case Insensitive)
Compare two strings ignoring case differences.
Convert to Camel Case
Convert a string to camelCase format with lowercase first letter.
Convert to Kebab Case
Convert a string to kebab-case format.