Session Replay enables you to replay in a video-like format how users interact with your website to help you understand behavioral patterns and save time troubleshooting. Visibility into user sessions, however, can risk exposing sensitive data and raise privacy concerns. For example, a user session may include typing in a credit card or social security number into an input field. That’s why Datadog Session Replay includes by default configurable privacy settings that provide you with granular control over what data is viewable during a session replay. This means that you can run full analyses on real user behavior across your application while ensuring you keep sensitive data protected and meet security and compliance regulations.
Easily control replay visibility
The amount of sensitive data that’s visible in any given page of your website can vary depending on what users are doing and what sort of application you run. For example, a replay of a user browsing through the catalog of an e-commerce site is likely to show less sensitive data than a replay of a checkout workflow that asks for contact and payment information. It makes sense, then, to configure different privacy settings based on the context of a session replay and use case. Datadog provides three obfuscation options—allow
, mask-user-input
, and mask
—which you can configure on a per-page basis to determine how much detail to obfuscate in a replay.
By default, Session Replay automatically masks all user inputs using the mask-user-input
setting. At any time, if you want to modify this—for example, obscuring more or fewer elements—you can simply change the value of the privacy level property within your JavaScript RUM configuration. You can also modify privacy settings through HTML attributes and classes. Privacy settings are inheritable, so each HTML element of your site will inherit the privacy setting of its parent unless otherwise specified. This gives you more granular control over privacy settings and lets you decide on a case-by-case basis which data to obfuscate.
Next, we’ll look at each of the three options and when you might want to use them.
mask
The maximum privacy setting for a session replay is mask
. Under this setting, all text will be obfuscated, and any input typed into a form field will be replaced with asterisks. This is especially useful for pages primarily made up of highly sensitive data, such as medical and personal financial records.
mask-user-input
The mask-user-input
setting is the default and only obfuscates what users type into a form field. This is particularly useful for web pages that require users to input private data that should be kept hidden, but where the majority of the text on a page is safe to show. For instance, you may use mask-user-input
on e-commerce or social media sites that ask users to submit phone numbers, email addresses, and credit card information.
allow
Some web pages don’t include sensitive data or require users to log in. For instance, perhaps you’re running a digital media site that relies heavily on public, user-facing content like ads and news stories. In that case, you can use the allow
setting to keep all text and input fields visible as you record user sessions. This provides you with the highest level of visibility, which makes it easier to observe user behavior directly, verify that content appears as expected, and gain quick insights as you troubleshoot.
Get started with Session Replay privacy settings today
Session Replay’s privacy settings allow you to fine-tune what data is visible when you capture and replay user behavior, so that you can review and analyze how users interact with your site while keeping their data protected. You can learn more about how to get started with Session Replay here. If you aren’t already using Datadog, sign up today for a 14-day free trial.