Skip to main content
Log Security

Log Sanitizer Without Uploading
Redact PII Before It Leaves Your Machine

What online log sanitizers do with your files, what your logs actually contain, and why client-side processing is the only safe approach.

7 min read·Updated May 2026

Log sanitizer without uploading: the only safe way to redact PII from a log file is a tool that processes everything in your browser — because a sanitizer that uploads your log to a server to clean it has just sent the sensitive data you wanted to remove to a third party, which is exactly the problem you were trying to solve.

The Irony of Server-Side Log Sanitizers

Think about the sequence of events with a server-side sanitizer:

1
You have a log file containing emails, IPs, API keys and session tokens
2
You want to share the log safely — so you upload it to an online sanitizer
3
The sanitizer's server receives your complete, unredacted log file
4
The server processes it and returns the redacted version
5
The original log, with all the sensitive data intact, now exists in their request logs, application logs, and possibly their object storage

You've solved the problem downstream (the person you share the log with doesn't see the PII) while creating a larger problem upstream (a server you don't control now has a copy of everything you were trying to protect).

What Your Log Files Actually Contain

Developers often underestimate how much sensitive data accumulates in logs. A typical web application log will contain some or all of these:

Email addresses
Authentication events, password reset requests, user lookup queries — all logged with the full email address.
IP addresses
Every request log line includes the client IP. Under GDPR, CCPA and HIPAA, IP addresses are personal data.
API keys & tokens
Bearer tokens, API keys and OAuth tokens appear in Authorization headers, which many frameworks log by default.
Session IDs
Session tokens in cookies or URL parameters are regularly captured in access logs and can be replayed.
JWT tokens
Full JWT strings in Authorization headers. The payload contains user ID, email, roles and expiry — all readable without a secret.
Database query values
ORM debug logging, slow query logs and query error logs include the literal values bound to prepared statements.
File paths & usernames
Stack traces include absolute server paths, which reveal directory structure and often the deployment username.
Plaintext passwords
Form submissions that fail validation before hashing are sometimes logged verbatim in request body dumps.

Tool Comparison

Feature Server-side sanitizers ResourceCentral Log Sanitizer CLI (sed / grep)
Log processed client-side
No file sent to a server
Works offline
Emails, IPs, API keys detected varies
JWT & session token detection varies
Custom pattern support varies
No install required
Handles large files (>100 MB) varies
Verifiable via DevTools
HIPAA / GDPR safe by design

Sanitize Logs Without Any Tool

For targeted one-off redaction on the command line:

# Redact email addresses
sed -E 's/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/[EMAIL]/g' app.log

# Redact IPv4 addresses
sed -E 's/\b([0-9]{1,3}\.){3}[0-9]{1,3}\b/[IP]/g' app.log

# Redact Authorization header values (Bearer tokens, API keys)
sed -E 's/(Authorization: Bearer )[^\s]+/\1[TOKEN]/g' app.log

# Chain multiple patterns
cat app.log \
  | sed -E 's/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/[EMAIL]/g' \
  | sed -E 's/\b([0-9]{1,3}\.){3}[0-9]{1,3}\b/[IP]/g' \
  | sed -E 's/(Authorization: Bearer )[^\s]+/\1[TOKEN]/g' \
  > app.redacted.log

Or in Python, which handles larger files more gracefully and gives you more control over patterns:

import re, sys

PATTERNS = [
    (re.compile(r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}'), '[EMAIL]'),
    (re.compile(r'\b(?:\d{1,3}\.){3}\d{1,3}\b'),               '[IP]'),
    (re.compile(r'Bearer [A-Za-z0-9\-._~+/]+=*'),               'Bearer [TOKEN]'),
    (re.compile(r'[A-Za-z0-9\-_]{20,}\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+'), '[JWT]'),
]

with open(sys.argv[1]) as f:
    for line in f:
        for pattern, replacement in PATTERNS:
            line = pattern.sub(replacement, line)
        print(line, end='')

How to Verify a Browser Tool Is Truly Client-Side

1
Open DevTools
F12 → Network tab. Clear the log so you start from a clean baseline.
2
Paste or drop a sample log
Use a log with fake data — a few lines with made-up emails and IPs is enough.
3
Run the sanitizer
Click the sanitize/redact button.
4
Check for network requests
If any XHR or Fetch requests appear, the tool is uploading your data. A client-side tool produces zero new network activity.
5
Disconnect and retry
Turn off WiFi, reload the page, and try again. A truly offline-capable tool works without a network connection.

Compliance Context

For teams working under HIPAA or GDPR, the processing location matters legally — not just operationally:

HIPAA
Transmitting a log containing a patient identifier (name, email, IP, date of service) to a third-party server without a Business Associate Agreement is a potential HIPAA violation — even if you're using that server to sanitize it. Client-side processing eliminates the transmission entirely.
GDPR
Sending EU personal data to a processor (even temporarily) requires a Data Processing Agreement and a lawful basis. Uploading a log file to a US-based sanitizer service without these controls in place is a GDPR compliance issue. Processing locally requires no DPA because the data never leaves your jurisdiction.

Sanitize Logs in Your Browser — Nothing Uploaded

Emails, IPs, API keys, JWTs, session tokens and custom patterns. Works offline. Verify in DevTools: zero POST requests.

Open Log Sanitizer →

Related

Log Sanitizer Tool How to Sanitize Log Files HIPAA Log Redaction GDPR-Compliant Logging Parse Logs with Regex Remove Secrets from Python Tracebacks