Defaults

This page describes how toran behaves out of the box. Defaults are intentionally conservative and designed to minimize data collection while preserving debuggability.

Read-only by default

toran observes outbound HTTP requests and does not retry, cache, block, or modify requests or responses. Removing toran is always as simple as reverting your base URL.

Safety limits

toran enforces per-toran concurrency limits to help prevent runaway loops and abuse. When a limit is reached, additional requests fail fast until in-flight requests complete. Limits vary by plan.

Allowed HTTP methods

toran proxies standard (and common) HTTP methods. Other methods return 405 Method Not Allowed.

GET
HEAD
POST
PUT
PATCH
DELETE
OPTIONS

CONNECT and TRACE are blocked to prevent relay abuse and cross-site tracing attacks.

Default Request Filters

toran automatically redacts sensitive fields from logs. Values are replaced with [REDACTED] before being stored.

Always redacted(cannot be removed)

These fields are always redacted and cannot be logged, even on paid plans.

Request Headers

authorizationproxy-authorizationx-api-keyapi-keyx-auth-tokenx-amz-security-tokencookiesignaturesig

Any Location (headers, query, body)

passwordpasswdsecretclient_secretapi_keyapikeyaccess_tokenrefresh_tokenid_tokentokenauthsessionprivate_keyprivatekeycredentialcredentialscredit_cardcreditcardcard_numbercardnumbercvvcvcssnsocial_security

Response Headers

set-cookie

Off by default(opt-in on paid plans)

These fields may identify a person or device. They are redacted by default but can be enabled on paid plans.

Request Headers

x-forwarded-forx-real-ipx-client-ipcf-connecting-iptrue-client-ipx-originating-ipforwardedx-forwarded-userx-forwarded-emailx-request-idx-correlation-idx-trace-idx-user-idx-device-idx-session-idx-client-idx-customer-idx-account-idx-amzn-trace-idx-b3-traceidcf-ipcountryx-geo-countryx-geo-cityx-regionuser-agent

Any Location (headers, query, body)

codekey

Header sensitivity tiers

toran classifies headers into three tiers based on sensitivity. This determines what is logged and what can be configured.

Always redacted(cannot be enabled)

These fields are always redacted and cannot be logged, even on paid plans. This protects against credential leakage and session hijacking.

  • authorization, proxy-authorization - credentials
  • cookie, set-cookie - session tokens
  • x-api-key, x-auth-token - API credentials
  • Passwords, secrets, tokens, and private keys in any location

Off by default(opt-in on paid plans)

These fields may identify a person or device. They are redacted by default but can be enabled on paid plans if required for debugging.

  • IP headers: x-forwarded-for, x-real-ip, cf-connecting-ip
  • User/device IDs: x-user-id, x-device-id, x-session-id
  • Correlation IDs: x-request-id, x-correlation-id, x-trace-id
  • Geo headers: cf-ipcountry, x-geo-country
  • user-agent - device fingerprinting risk

On by default(safe to log)

These fields are safe to log and provide essential debugging information.

  • Method, path, query parameter names, status code
  • content-type, accept, host
  • content-length, cache-control
  • Standard HTTP mechanics and timing

toran never logs application-level context such as prompts, model internals, or agent reasoning beyond the raw HTTP request and response.

Query Parameter Values

By default, all query parameter values are redacted. Parameter names are preserved for debugging, but values are replaced with [REDACTED].

Example:
?api_key=[REDACTED]&user_id=[REDACTED]

Request & Response Bodies

By default, request and response bodies are not logged. You can enable body logging in your toran settings if needed for debugging.

When body logging is enabled, toran attempts to decode request and response bodies as UTF-8 text (best-effort) and stores text bodies according to your plan and settings.

If a body cannot be decoded as text, toran does not store it. Instead, toran stores the body size and a SHA-256 fingerprint.

Customization

You can customize these defaults in your toran settings:

  • Add filters to redact additional fields
  • Remove default filters if you need to log specific fields
  • Enable response body logging

Responsibility and control

You control what requests are routed through toran and which fields are logged. If you enable logging of additional headers or bodies, you are responsible for ensuring that collection and processing complies with applicable laws and third-party terms.

For a broader explanation of how toran processes data, see our Privacy Policy.