Skip to content
AttachKit
Help center

How to remove metadata, JavaScript and attachments from a PDF with Sanitize

Strip a PDF's hidden author, title, dates and software metadata — plus embedded JavaScript, attached files and auto-run actions — entirely in your browser, and download a clean copy.

Last updated

Sanitize strips the hidden information a PDF carries about you — author, title, dates, the software that made it — along with embedded JavaScript, attached files and auto-run actions. The whole job runs in your browser: the file is never uploaded to a server, which is the difference from most online metadata cleaners.

Before you start

  • Sanitize is free on every plan, with no usage cap and no account needed.
  • The file must be 100 MB or smaller. The drop zone caps files at 100 MB to keep your browser responsive.
  • Password-protected PDFs can't be cleaned directly. Remove the password first with Unlock (you need to know the password), then clean the unlocked copy.
  • Sanitize removes hidden data, not visible content. A name printed on the page itself is content, not metadata — use Redact for that.
  • Everything stays local. The PDF never leaves this device — you can open your browser's DevTools network tab and watch.

Steps

  1. Open Sanitize.
  2. Drop your PDF onto the drop zone, or click it to pick a file.
  3. Click Remove metadata. The button reads Cleaning… while it works — usually well under a second, longer for very large documents. (Picked the wrong file? Choose another file takes you back.)
  4. Review the green Cleaned card. It lists each category of hidden data that was found and removed, so you know what the file was carrying.
  5. Click Download clean PDF. The copy downloads with -clean added to the name (for example report-clean.pdf). Your original file is not modified.
  6. Optional: the success message asks Fill or sign it next? — one click hands the cleaned copy straight to Fill, no re-upload needed.
  7. Click Clean another to process the next file.

What gets removed

Item in the Cleaned reportWhat it covers
Document properties (author, title, dates…)The PDF's Info dictionary: Title, Author, Subject, Keywords, Creator, Producer, and the creation and modification dates
XMP metadataThe XML metadata stream many applications embed in addition to the document properties
Embedded JavaScriptDocument-level scripts, per-field event scripts (keystroke, format, validate, calculate, mouse and focus events), and link actions that run JavaScript
Embedded / attached filesFiles attached inside the PDF
Auto-run actionsOpen actions and document- or page-level additional actions that fire automatically when the file is opened

Sanitize is deliberately careful about what it keeps: internal links and table-of-contents destinations still work, and normal link annotations (jump-to-page and web links) are preserved — only the JavaScript ones are stripped. The visible pages are untouched.

Result

You get a copy named …-clean.pdf that looks identical page for page but no longer reveals who wrote it, when, or with what software — and carries no scripts, attachments or auto-run actions. If the file had nothing to remove in the first place, Sanitize says so ("it's already clean") and still lets you download the re-saved copy.

Related

  • Redact — black out and truly remove visible content from the pages
  • Protect — add a password to the cleaned copy before sharing it
  • Unlock — remove a password so an encrypted PDF can be cleaned
  • If the file won't load, won't clean, or something still shows up afterwards, see the Sanitize troubleshooting article.

Open the tool →

Related

Was this helpful?

Still stuck? Contact support →