If you decide to capture text inputs, by default we provide additional safeguards against capturing PII.
Passwords are not captured as long as the password fields have been tagged appropriately (as password type inputs) in the DOM (e.g. <input type="password">).
Heap has a set of rules to automatically avoid capturing credit card numbers:
- Any inputs that have an
idornameattribute included in the list below are considered credit card inputs and will not be captured. The matching logic is case insensitive and will ignore ‘-‘ or ‘_’.‘cc’,’creditcard’, ‘ccnum’, ‘ccname’, ‘ccnumber’, ‘ccexpiry’, ‘ccexp’, ‘ccexpmonth’, ‘ccexpyear’, ‘cccvc’, ‘cccvv’, ‘cctype’, ‘cvc’, ‘cvv’, ‘cccid’, ‘expiration’,’paymentnumberinput’, ‘securitycodeinput’,'ssn'
- Any input where a user enters 9 or more consecutive digits is considered potential SSN or credit card information and will not be captured.