Runs entirely in your browser · nothing is uploaded

Strip the client out of a firewall config
before it ever leaves your laptop.

A configuration file is a map of someone's network: internal addressing, topology, naming, the appliances and the people behind them. configscrub de-identifies FortiGate and Palo Alto configs — IPs, hostnames, secrets, serials, and the object names that quietly carry your client's identity — so you can share one with a vendor, an auditor, or an AI without handing over the network.

The catch most tools miss: to protect your data, they take custody of it first. This one doesn't. The processing happens in this browser tab. We never receive the file — you can watch the network tab and verify it.

Sanitise a config → See how it works
✓ No upload ✓ No account ✓ No storage FortiGate (FortiOS 7.0–7.6) Palo Alto (PAN-OS 10.2–11.2)
Why this matters now

Every config you paste somewhere is a config you no longer control.

It was always risky to email a firewall config to a vendor's support portal. The AI era made it routine — and made the exposure worse.

[ 01 ]

You paste configs into AI tools now

Troubleshooting a policy? Asking a chatbot to explain a rule set? The moment a raw config goes into a prompt, your client's internal addressing, naming, and topology become training-adjacent data on infrastructure you don't own — and can't pull back.

[ 02 ]

Support cases outlive the case

A config attached to a vendor ticket sits in a system you don't control, indexed and retained on someone else's schedule. The fix takes an afternoon; the exposure is indefinite.

[ 03 ]

Names leak more than IPs

Engineers scrub IPs and forget object names. "Aramco-SCADA-DMZ" or "Allow-Finance-to-DB" tells a reader the client, the sector, and the architecture — long after the addresses are masked.

[ 04 ]

The frameworks already expect this

Under NCA ECC-2 and PDPL, a config is sensitive data, and minimising what you disclose to a third party is the control. De-identifying before sharing isn't caution — it's the documented expectation.

The principle: the safest data is the data that never leaves. This tool is built so the sensitive file never reaches us at all — not stored briefly, not processed server-side, not transmitted. The strongest privacy guarantee is the one that doesn't depend on trusting the tool.
How it works

Paste a config. Review what it found. Download the clean version.

Three steps, no account, no upload. The whole thing runs on Python compiled to WebAssembly, inside your browser.

1

Paste or load

Drop in your FortiGate or Palo Alto config. It stays in the page — open your browser's network tab and confirm nothing leaves.

2

Review & confirm

The tool flags client and staff identifiers hidden in object names and asks you to confirm before redacting. You stay in control of what's removed.

3

Download

Get the sanitised config plus an optional mapping key that reverses the changes — so you can translate findings back to the real names later.

before → after · FortiGate
# before set hostname "NORTHBAY-DC-FGT01" set ip 213.42.11.50 255.255.255.248 edit "Aramco-SCADA-DMZ" set passwd ENC SH2x9zKp8secretvalue # after set hostname "FW-REDACTED" set ip 198.51.100.1 255.255.255.248 edit "REDACTED-OBJ-001" set passwd "REDACTED"
What it removes

The categories of data that identify a network.

Each is replaced in a way that keeps the config analysable — masks and structure are preserved, identity is not.

CategoryWhat happens to it
IP addressesMapped to documentation-reserved ranges (RFC 5737 / 3849). Subnet structure and masks preserved so the config still makes sense.
Hostnames & FQDNsReplaced with neutral placeholders. Well-known public domains (vendor, cloud, update services) kept as non-identifying.
Device serialsFortiGate appliance serials removed wherever they appear, while the model code in the version header is preserved.
SecretsPasswords, pre-shared keys, SNMP communities, private keys, tokens — replaced wholesale, never transformed.
Object & policy namesThe user-defined labels that embed client, staff, branch, or system identity. Detected by a pre-scan and confirmed by you. Whole-name mode replaces the entire name consistently across every reference.
Free textDescriptions, comments, banners, and email addresses that carry the organisation's name in prose.
Honest about the limits: object-name detection is a heuristic — it can miss an org name that's also ordinary networking vocabulary, and it will occasionally flag something harmless. That's why you confirm before output, and why the default leans toward over-redaction. A full methodology write-up, with the NCA ECC-2 control mapping, is available below.
The approach

Why we built it to never receive your file.

This started from a habit we kept seeing on real engagements: skilled engineers hand-scrubbing configs before sharing them — find-and-replacing IPs in a text editor, missing an object name, missing a serial in an HA alias, and never quite sure they'd caught everything. The manual approach is slow and it leaks, because a config has more identifying surface than a human reliably tracks.

The obvious fix is a web tool you upload to. We rejected that, because it has the same flaw as the problem: now two parties hold the sensitive file instead of one. A privacy tool that takes custody of your data to protect it has quietly become another place your data can leak from.

So the design constraint came first, before any code: the tool must never receive the configuration. Everything downstream followed from that — Python compiled to WebAssembly, both vendor engines running client-side, the file never crossing the network. The privacy claim isn't a policy you have to trust. It's an architecture you can verify.

The leak we chased first

FortiGate serial numbers hiding in HA aliases and Security Fabric device references — customer-identifying tokens that survive a naive IP scrub. Closing that taught us the real surface area.

The leak nobody scrubs

Object names. Prod-DB, Riyadh-Branch, jdoe — arbitrary strings that match no IP or pattern, so they pass straight through unless something looks for them. We built a pre-scan that flags them and asks you to confirm.

The leak inside the redaction

Even after removing the client name from NorthBay-SCADA-DMZ, the remainder SCADA-DMZ still leaks the environment. Whole-name mode replaces the entire name — consistently, across every reference — so the structure goes too.

Open about what it is: a tool supports good practice; it doesn't replace your judgment or make you compliant with anything. We say "supports ECC-2 / PDPL," never "makes you compliant." That distinction is the whole point of doing this honestly.
The tool

Sanitise a config.

Free. In your browser. Nothing uploaded. First load fetches the in-browser Python runtime (a few seconds, one time).

configscrub
Loading in-browser engine…
In-browser RECOMMENDED
Nothing is uploaded. Runs on your machine — verify in the network tab.
Server UPLOADS CONFIG
Not enabled in this release. The whole point is that your config stays local.
Whole-name redaction
Replace entire object & policy names (e.g. SCADA-DMZ), not just the flagged token. Safer; less readable output. Recommended for high-sensitivity configs.
I understand object-name detection is a heuristic and I'll review flagged names before downloading. (FortiGate only)
✓ Sanitised output — safe to share
Mapping key — keep secret. This file reverses the sanitisation. Treat it as at least as sensitive as the original config; never send it to whoever receives the sanitised file.

Got your clean config. Want the deeper material?

Optional — and unrelated to the tool, which needs nothing from you. If you want the full sanitisation methodology (with the NCA ECC-2 control mapping) or a heads-up when we add Cisco IOS support, leave an email. That's it.

No spam, no list-selling. We may follow up once about a related config-review platform we're building. Unsubscribe anytime. The tool never required this — you already have your file.
✓ Thanks — we'll be in touch. Your config never touched our servers; this email is the only thing you've shared.
Questions engineers actually ask

Straight answers.

Is my config really not uploaded?
Yes — and you don't have to take our word for it. Open your browser's developer tools, go to the Network tab, and sanitise a config. You'll see the one-time download of the Python runtime, and zero upload of your file. The processing happens in WebAssembly inside the tab.
What runs the sanitisation?
The same Python engines we use internally, compiled to WebAssembly via Pyodide and executed in your browser. FortiGate uses a line-based engine; Palo Alto uses an XML-tree engine with a whitelist approach. Both run client-side.
Can it catch everything?
No, and we won't claim it. IPs, FQDNs, serials, secrets, and MACs are pattern-based and caught reliably. Object and policy names are heuristic — the tool flags likely identifiers and asks you to confirm, defaulting toward over-redaction. Always eyeball the output before sharing.
What's the mapping key for?
It records every change so you can reverse them — useful when a vendor returns findings against the sanitised config and you need to map them back to real names. It's a re-identification key, so it's as sensitive as the original config. Never send it alongside the sanitised file.
Does this make me ECC-2 or PDPL compliant?
No tool can do that — only your control environment can. What the tool does is operationalise specific control intents (technical security standards for firewalls, data-handling, third-party non-disclosure, data minimisation). It supports compliance; it doesn't grant it. The methodology write-up explains exactly which controls and how.
Is it free? What's the catch?
Free, no account, no upload. The optional email ask appears only after you've downloaded — the tool works fully without it. We build config-review tooling, and this free tool is how people meet our work. That's the whole model.