# Secrets

It is possible to mask out sensitive data when passing it to steps. This is important when filling password fields, or sending secure keys to API endpoint. CodeceptJS provides two approaches for masking sensitive data:

# 1. Using the `secret()` Function

Wrap data in secret function to mask sensitive values in output and logs.

For basic string secret just wrap a value into a string:

I.fillField('password', secret('123456'))

When executed it will be printed like this:

I fill field "password" "*****"

Other Examples

I.fillField('password', secret('123456'))
I.append('password', secret('123456'))
I.type('password', secret('123456'))

For an object, which can be a payload to POST request, specify which fields should be masked:

I.sendPostRequest(
  '/login',
  secret(
    {
      name: 'davert',
      password: '123456',
    },
    'password',
  ),
)

The object created from secret is as Proxy to the object passed in. When printed password will be replaced with ****.

⚠️ Only direct properties of the object can be masked via secret

# 2. Global Sensitive Data Masking

CodeceptJS can automatically mask sensitive data in all output (logs, steps, debug messages, errors) using configurable patterns. This feature uses the maskSensitiveData configuration option.

# Basic Usage (Boolean)

Enable basic masking with predefined patterns:

// codecept.conf.js
exports.config = {
  // ... other config
  maskSensitiveData: true,
}

This will mask common sensitive data patterns like:

Authorization headers
API keys
Passwords
Tokens
Client secrets

# Advanced Usage (Custom Patterns)

Define your own masking patterns:

// codecept.conf.js
exports.config = {
  // ... other config
  maskSensitiveData: {
    enabled: true,
    patterns: [
      {
        name: 'Email',
        regex: /(\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b)/gi,
        mask: '[MASKED_EMAIL]',
      },
      {
        name: 'Credit Card',
        regex: /\b(?:\d{4}[- ]?){3}\d{4}\b/g,
        mask: '[MASKED_CARD]',
      },
      {
        name: 'Phone Number',
        regex: /(\+?1[-.\s]?)?\(?([0-9]{3})\)?[-.\s]?([0-9]{3})[-.\s]?([0-9]{4})/g,
        mask: '[MASKED_PHONE]',
      },
      {
        name: 'SSN',
        regex: /\b\d{3}-\d{2}-\d{4}\b/g,
        mask: '[MASKED_SSN]',
      },
    ],
  },
}

# Pattern Configuration

Each custom pattern object should have:

name: A descriptive name for the pattern
regex: A JavaScript regular expression to match the sensitive data
mask: The replacement string to show instead of the sensitive data

# Examples

With the above configuration:

Input:

User email: [email protected]
Credit card: 4111 1111 1111 1111
Phone: +1-555-123-4567

Output:

User email: [MASKED_EMAIL]
Credit card: [MASKED_CARD]
Phone: [MASKED_PHONE]

# Where Masking Applies

Global sensitive data masking is applied to:

Step descriptions and output
Debug messages (--debug mode)
Log messages (--verbose mode)
Error messages
Success messages

⚠️ Direct console.log() calls in helper functions are not masked. Use CodeceptJS output functions instead.

# Combining Both Approaches

You can use both secret() function and global masking together. The secret() function is applied first, then global patterns are applied to the remaining output.