Is my sample text sent anywhere?

No. Both your regex and the sample text are processed entirely in your browser. Nothing is uploaded, so you can paste realistic test data without sending it through an external service.

How does it decide what counts as a missed leak?

It runs a panel of built-in detectors for common PII (email, phone, credit card, IPv4, US SSN, IBAN, JWT) over your text. Any detected span that does not overlap one of your regex matches is reported as a potential leak.

Why are some card-like numbers not flagged?

The credit-card detector validates candidates with the Luhn checksum, the same check payment systems use. Random 16-digit strings that fail Luhn are not real card numbers and are intentionally skipped to cut false positives.

What do the flags do?

Flags are standard JavaScript regex flags. The tool always adds the global flag so it can find every match, and you typically also want i for case-insensitive matching. Add m or s if your pattern spans multiple lines.

Can I rely on this as my only redaction check?

Treat it as a fast first pass. The built-in detectors cover common PII shapes but cannot know your domain-specific identifiers, so combine it with a domain test suite and manual review before trusting a redaction pipeline.

Regex Redaction Tester

Redaction pipelines fail quietly: a regex that looks right in review can still leak a phone number with an unusual separator or an email in an attachment field. This tool lets you exercise your redaction regex against realistic text and immediately see both what it catches and, just as importantly, what it misses.

How it works

The tool does two passes over your sample text:

Your regex is compiled with the global flag and run across the text. Every non-empty match is highlighted in green — these are the spans your pipeline would replace with a redaction marker.
Built-in PII detectors run independently for emails, phone numbers, credit cards, IPv4 addresses, US Social Security numbers, IBANs, and JWTs. The credit-card detector additionally verifies each candidate with the Luhn checksum so random digit runs are not reported.

For each detected PII span, the tool checks whether it overlaps any of your regex matches. If it does not, the value is shown in the red leak list — a piece of sensitive-looking data your regex would have let through.

Example

Suppose your regex only matches emails. Paste text that contains both an email and a credit-card number. The email is highlighted green (redacted), but the Luhn-valid card number appears in the red leak list because your pattern never covered it. That is the exact gap that causes production incidents, surfaced before you ship.

Notes and tips

The global flag is always applied so matching is exhaustive; add i, m, or s as your pattern needs.
An empty-match regex (for example a*) is guarded so it cannot loop forever — zero-width matches are skipped.
The detectors are heuristics tuned to reduce false positives. They will not know about your internal account IDs or custom tokens, so pair this with domain-specific tests.
Everything runs locally, so it is safe to test with real-shaped sample data.