Overview
Heap’s session replay privacy and security settings are highly customizable to make sure you don’t capture any sensitive information from your users.
Session replay privacy configurations are environment-specific. We recommend you enable session replay in your development environment first to test your privacy configurations. Once you are satisfied with your privacy settings, you can replicate them in your Production environment.
You can view the privacy and security settings for session replay by navigating to Account > Manage > Replay & Heatmaps.
These settings only impact session replay data capture. Your general Heap privacy settings are applied first, followed by the session replay privacy settings. For details, see our FAQ on privacy settings that session replay inherits from Heap.
CSS Selectors
Familiarity with CSS selectors may be necessary to fully configure these privacy settings. If you are unfamiliar with what a CSS selector is, we recommend that you ask a technical member of your team for help.
Text and form fields
The first question we ask is: What content should Heap mask from session replays?
Mask all text
Mask all text replaces all text content with asterisks, and Heap won’t capture the value of any form fields. This is the most conservative setting, and it is a good choice if you deal with lots of private user information.
This setting will redact all text in your replays and heatmaps, regardless of your broader Heap privacy settings.
Below is a what the Heap homepage looks like with Mask all text selected. This view gives you the “wireframe” or shape of the page so you can still watch replays and view heatmaps without the risk of exposing private information.
When finished, click the Save button at the bottom of the page. It will take between 30 seconds and 1 minute for your new settings to be applied and to take effect.
These settings are not retroactive, newly saved changes will only impact data capture going forward.
Mask all form fields and sensitive content
Select this option if you are comfortable capturing other types of content on your website, but don’t want to capture any form fields.
When finished, click the Save button at the bottom of the page. It will take between 30 seconds and 1 minute for your new settings to be applied and to take effect.
These settings are not retroactive, newly saved changes will only impact data capture going forward.
Capturing form fields
By default, Heap no longer enables the capturing of form field content in session replays and heatmaps. If you need to capture this data, contact our support team for assistance.
To learn more about how Heap blocks the collection of password and credit card information, see How do I prevent session replay from capturing certain data, such as passwords and credit card numbers?.
Mask additional elements
The second question we ask is: Should Heap mask any additional elements?
Outside of <input> elements, there may be other elements you want to exclude from being captured in session replay. To exclude other types of elements from being captured, list their CSS selectors in this box.
Examples of elements you may want to mask include:
- A billing address on an order confirmation page.
- A user’s first and last name on an account details page.
- Personal financial information, such as a user’s salary.
Wildcards are not supported here; see the section CSS Class Semantics at the end of this guide to learn which CSS selectors you can use instead.
When finished, click the Save button at the bottom of the page. It will take between 30 seconds and 1 minute for your new settings to be applied and to take effect.
These settings are not retroactive, newly saved changes will only impact data capture going forward.
Unmask Additional Elements
The third question we ask is: Should Heap unmask any additional elements?
Heap session replay does not capture any input or text fields regardless of your privacy settings configurations. This includes all password, credit card numbers, and any other type of form input.
This is helpful if you have a lot of sensitive information on your pages that require most of the content to be masked using the Mask all text setting described above, but there is still information on the page that would be valuable to capture as part of your session replay.
Examples of elements you may want to unmask include:
- Header text in banner that is often used test different messaging
- Navigation and other product UI elements
Wildcards are not supported here; see the section CSS Class Semantics at the end of this guide to learn which CSS selectors you can use instead.
When finished, click the Save button at the bottom of the page. It will take between 30 seconds and 1 minute for your new settings to be applied and to take effect.
These settings are not retroactive, newly saved changes will only impact data capture going forward.
Choosing pages to be captured (Url allowlist / blocklist)
This setting allows you to create rules for which domains, subdomains, and/or pages you want to capture.
Substring Semantics
This setting follows substring semantics, so all URLs containing the entered text will be included/excluded.
For example, capturing replay from URLs that contain foo will include example.com/foo/path1, example.com/foo/path2, and example.com/food.
Capture user activity for all domains, subdomains, and pages
This setting is selected by default; replays will be captured for all pages.
Block user activity for specified domains, subdomains, and/or pages
This selection allows you to create a block list of URLs that you can control from the Heap app, without using code. Replays will not be captured on the URLs that you list here.
This is useful if there are parts of your app that you don’t want data collected. For example, you might not want to capture information on your order confirmation page because it contains customer information such as shipping address and phone number.
Session replay will never capture credit card numbers or passwords. For more info on this topic, see our FAQ on how to prevent session replay from capturing certain data.
Once this radio option is selected, a textbox will appear. In order to add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to block, and then press Enter or Comma on your keyboard.
When finished, click the Save button at the bottom of the page. It will take between 30 seconds and 1 minute for your new settings to be applied and to take effect.
These settings are not retroactive, newly saved changes will only impact data capture going forward.
Allow user activity for only specified domains, subdomains, and/or pages
This selection allows you to create an allow list of URLs that you can control from the Heap app, without using code. This option will prevent data from being captured from any location that is not specified. For example, if you only want to capture public pages, you would set up those rules here.
Once this radio option is selected, a textbox will appear. In order to add an entry, click inside the box, type the domain, subdomain, and/or pages you wish to capture, and then press Enter or Comma on your keyboard.
When finished, click the Save button at the bottom of the page. It will take between 30 seconds and 1 minute for your new settings to be applied and to take effect.
These settings are not retroactive, newly saved changes will only impact data capture going forward.
CSS Class Semantics
Heap does not support wildcards (*) in CSS selectors added to the inclusion or exclusion lists.
Substring Semantics
The inclusion and exclusion lists follow substring semantics, so all URLs containing the entered text will be included/excluded.
For example, capturing replay from URLs that contain foo will include example.com/foo/path1, example.com/foo/path2, and example.com/food.
However, all standard CSS selectors are recognized so you may be able to use the ^, $ and * attribute selectors to achieve the same functionality. For example:
a[class^="patient_name"]Selects every <a> element whose class attribute value begins with “patient_name”a[class$="diagnonsis"]Selects every <a> element whose class attribute value ends with “diagnosis”a[class*="medication_list"]Selects every <a> element whose class attribute value contains the substring “medication_list”
This may be necessary for customers using a React styling library. See React Styling Libraries & DOM Minification, for ways to automatically generate semantically useful class names when using a React styling library.
