How to Redact a PDF Properly (Without Leaking the Content You Meant to Hide)
The mistake that keeps leaking confidential documents
Every few months a high-profile organisation accidentally releases a "redacted" PDF where the redactions can be removed with a single keyboard shortcut. Court filings, intelligence reports, corporate emails — the same mistake keeps happening, and the cause is always the same: somebody used a **highlight** instead of a **redaction**.
Here's the difference:
If you've ever opened a PDF, clicked the highlighter, picked black, and emailed it off — that file is not redacted. Anyone can recover the text in five seconds.
What proper redaction actually does
A correctly redacted PDF passes three tests:
The first two are non-negotiable for any "I want to share this safely" workflow. The third matters when adversaries are sophisticated — journalists, lawyers, intelligence analysts.
How to redact a PDF in three steps
The boxes are drawn directly into the page content stream. They're not overlays, not annotations — they're part of the page itself. Open the file in Acrobat, Preview, Foxit, a browser, or print it: the redacted areas are solid black everywhere, in every viewer, on every device.
When to redact in black vs white
Both options matter:
The legal/forensic protection is identical either way; the only difference is what the reader perceives.
Going from "good" to "forensic-grade" redaction
For 99% of redaction tasks — sharing a redacted contract with a client, releasing a document to a regulator, anonymising a CV — drawing solid filled rectangles into the page content stream is enough. No PDF viewer will select or extract the covered text, and the rectangles can't be moved or deleted.
For the 1% where you're worried about a sophisticated adversary trying to forensically recover the underlying text bytes, add one more step: run the redacted PDF through our [OCR PDF](/ocr-pdf) tool. That rasterises each page into pixels and rebuilds a fresh PDF where every page is an image. There's no underlying text layer left to recover — only what's visible on screen.
Use this for: leaked-document journalism, intelligence reports, anything where the cost of a leak is catastrophic.
What *not* to do
Real-world use cases
Privacy
Your PDF is rendered locally in your browser for the visual editor. It's only sent to our server when you click *Apply Redactions* — at which point it's processed in memory in our serverless function and discarded the moment your redacted PDF is returned. Nothing is stored, nothing is logged, nothing is watermarked.
Conclusion
Redaction is one of those tasks that *looks* trivial — "just draw a black box, right?" — and gets people in serious trouble when done wrong. Use a tool that actually bakes the redaction into the page, not an annotation that can be peeled off. Drop your file into the [Redact PDF](/redact-pdf) tool, drag a box over every piece of sensitive content, click apply, and ship a PDF that's actually safe to share.