The general security settings you have chosen for Heap (found by going to Security Settings) will be the first settings we apply to everything in your Heap app. The Session Replay Privacy & Security settings are applied next.
| Heap Setting | Session Replay Behavior |
| Target text capture disabled (either in Heap settings, or per-page via disableTextCapture) | Masks all text on the page (but does not redact the page title when applied to a single page). Note: for the most part, this renders session replay useless (when applied globally)! |
Element with data-heap-redact-text='true' | Element is completely redacted (this also applies to page titles) |
data-heap-redact-attributes='attr1,attr2' applied to any parent element in the DOM | Entire elements are redacted (not just the specified attributes). Note: the behavior is not 1:1 between analytics and session replay here because it is challenging to performantly check all attributes in child elements, so we took a conservative approach when applying this setting to session replay. |
| Secure Cookie enabled / disabled | Session replay mirrors analytics behavior (note: this should be enabled to support iframes in session replay) |
| Excluded IPs | No new session replays will be recorded for users with matching IP addresses. |