The invisible risk in API development
A developer copies a real request from Postman into the mock server history. The request has a real customer's cpf field. That data is now in logs, in the development server's database and potentially in unencrypted backups.
Brazil's LGPD (Art. 46) requires companies to adopt technical measures to protect personal data in all phases of the data lifecycle — including development and testing.
What httpdrop masks automatically
Data typeActionResult
CPF / CNPJmask123.456.***-**
Emailmaskan*****@email.com
Credit cardmask**** **** **** 1234
Authorization headerredact[REDACTED]
Bearer tokenredact[REDACTED]
Phone numbermask(11) 9****-****
Custom fieldsconfigurablemask / hash / remove / redact
Masking modes
mask — Replaces part of the value with asterisks. Preserves the format for debugging without exposing the real data.
hash — Applies SHA-256. Deterministic: the same CPF always generates the same hash, allowing log correlation without exposing the original value.
remove — Removes the field completely from the record. Use when the field isn't needed for debugging.
redact — Replaces with
[REDACTED]. Keeps the JSON structure intact but makes the value unrecoverable.Compliance: Masking is applied before saving to httpdrop's database. Even if the server is compromised, sensitive data won't be stored. This makes it easier to demonstrate compliance to auditors and Brazil's ANPD data protection authority.