Overview

Heap’s capture controls provide a simple user interface for you to control which sites and/or pages that data is collected from, without needing to write code.

You can view the capture controls for your Heap account by navigating to Account > Manage > Privacy & security.

Notes:

• These settings are applied on a per environment basis. This means settings from one Heap environment don’t carry over to another.
• These settings are only applicable to Heap’s autocaptured data collection. For an overview of the privacy settings specific to session replay, see session replay privacy settings. 
• These settings are only applicable to data collected using the Heap web SDK.
• Block and Allow are opposites of each other. Review your data collection strategy to determine which works best for you. 
• Sites and pages requiring data collection must have the Heap web SDK client installed.

Capture user activity

At the top of the panel is the question What user activity should Heap capture? This is where you can modify which sites and/or pages Heap is allowed to capture data from.

Capture all data

By default, Capture will be selected in the capture controls. Heap will autocapture data on any page where the Heap SDK is installed. For an overview of Heap’s data model, see Autocaptured Data.

Block data capture

You can block data from being collected on a site or page by selecting the Block radio option in the panel.

This is useful if there are parts of your app, such as an internal testing subdomain, that you don’t want data collected from. Think of this selection as a blocklist that you can control from the Heap app, without using code.

Once this radio option is selected, a textbox will appear. You can input up to 100 different entries within this textbox. To add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to block, and then press Enter or Comma on your keyboard. 

The entry will then display in the text box. Additional pages can be added by repeating this process. When finished, click the Save button at the bottom of the form.

Allow data capture

You can choose to only allow data collection from specific sites or pages by selecting the Allow radio option in the panel. This option will prevent data from being captured from any location that is not specified.

This is useful if you are concerned about data integrity and want to ensure bad actors have not set up duplicate versions of your app that could possibly send invalid data (such as fake data generated by bots) to your Heap account. Think of this selection as an allowlist that you can control from the Heap app, without using code.

Once this radio option is selected, a textbox will appear. You can input up to 100 different entries within this textbox. To add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to block, and then press Enter or Comma on your keyboard. 

The entry will then display in the text box. Additional pages can be added by repeating this process. When finished, click the Save button at the bottom of the form.

User activity syntax rules

You can specify many different combinations of domains, subdomains, and/or pages within either the Blocklist or Allowlist using flexible syntax rules.

Domains

• Entering a full domain, such as heap.io will target all data on that domain and any subsequent paths and pages. For example, in this scenario, entering heap.io will target the root domain as well as heap.io/page1
• Entering a full domain does not target subdomains. For example, entering heap.io in the blocklist won’t prevent data from being collected on community.heap.io.
• To target a single subdomain, enter it into the textbox. 

Wildcards

• If you wish to target all subdomains, use a wildcard asterisk followed by the root domain. For example, *.heap.io would target all heap.io subdomains including community.heap.io and help.heap.io.
• Wildcard asterisks can also be added within a URL string to target any page which matches a specific url pattern. For example, if you wanted to prevent data from being collected within the admin section of your app, you can enter heap.io/admin/* which would target any url pattern which contains that string. 
• Only one wildcard asterisk can be used within a single entry. For example, heap.io/*/admin/* is not a valid entry.

URLs

• URLs with trailing slashes are stripped and evaluated the same as those without. For example, entering heap.io/ will be updated and evaluated the same as entering heap.io without a trailing slash.
• URLs containing either https or http will have the protocol stripped and evaluated as the same. For example, entering https://heap.io and http://heap.io will result in an entry of heap.io, which will be applied regardless of whether an https or http protocol is being used on your app. 

Capture HTML attributes

The next panel asks ​​Which HTML attributes should Heap redact?

HTML elements can have attributes, which are additional values that allow you to configure the HTML elements or adjust their behavior. To ensure privacy and regulatory compliance, Heap allows customers to configure what HTML attributes are being captured.

Capture all attributes

By default, Heap will autocapture many HTML attributes on any page where the Heap web SDK is installed. These data attributes are often used to define events that are being captured. For an overview of Heap’s data model, see Autocaptured Data.

Redact all attributes

You can prevent Heap from autocapturing all HTML attributes by selecting the Redact all attributes radio selection. Remember to click the Save button once you have made your selection. This option will prevent any HTML attribute, both standard HTML attributes as well as any custom or unique attributes, from being collected in Heap.

Redact specific attributes

A scenario may arise where some HTML attributes are being used to define events in Heap, but other attributes on your site contain sensitive information which you do not want to capture. In these instances, Heap provides the ability to redact specific attributes which may contain sensitive information. 

Select the Redact specific attributes radio selection. A textbox will appear to allow the entry of any attribute. To add an entry, click inside the box, type the attribute you wish to redact, and press Enter or Comma. 

The entry will then display as a pill within the text box. Repeat this process to add more pages. When finished, click the Save button at the bottom of the form.

Some best practices when considering which attributes to selectively redact :

• If an attribute value contains sensitive information, it’s possible Heap could collect it within the Hierarchy property of an event.
• Attributes redacted using the Redact specific attributes feature will be redacted after the data is sent to Heap. This prevents the redacted data from being stored in Heap’s database, though the redacted value will still be sent out of the user’s browser to Heap’s servers, where it is then redacted.
• If you want to make sure that certain attribute values never leave the user’s browser, you’ll need to use data-heap-redact-attributes='attr1,attr2' where attr1 and attr2 are the names of the attributes containing sensitive data. You can find more information and an example in our Install Heap.js guide.
• Don’t add sensitive data directly to attribute values.
• Avoid adding sensitive data to IDs and classes, as those are key criteria to filter by when creating events, and it is not possible to redact those attributes in Heap.
• If your URL paths contain sensitive data, make sure to redact that data from hrefs on links to those paths.

Target text autocapture

The Target text autocapture toggle allows you to manage the capture of target text of elements for web traffic.

To avoid potentially capturing sensitive data, target text capture is disabled globally. Keeping this option disabled may make it more difficult to create and manage events, as you will not be able to filter by target text.

If you’d like to block target text capture for specific elements only, you can apply data-heap-redact-text to only the specific elements where sensitive data lives. This will selectively block text capture from only those elements, and will allow you to enable text capture for everything else.

JavaScript snapshots

Snapshots give you the ability to capture additional metadata that isn’t autocaptured by Heap out-of-the-box. 

In certain cases, you may want to disable snapshots to prevent users from making unwanted changes to your site. You can disable snapshots by toggling off the JavaScript snapshots toggle. 

If you don’t want to completely disable snapshots, you can manage who can or cannot create snapshots in your Heap account by going to the Roles settings.

IP Autocapture

By default, Heap does not capture a user’s IP address for privacy reasons. In certain circumstances and use cases, you may want to capture users’ IP addresses.

To capture IP Addresses, switch on the IP Autocapture toggle. A pop-up will appear asking you to confirm your choice. 

Geolocation Autocapture

By default, Heap uses a user’s IP address to geolocate them within a particular country, region , and city. For privacy reasons, you may not want Heap to identify users’ location from their IP address.

To prevent geolocation autocapture, switch off the Geolocation Autocapture toggle. A modal will appear asking you to confirm your choice. 

To delete information that has already been collected, contact us via the Get support page.