Security

TLS, masking before storage, maskFields, what we capture, what we never collect, and how to report vulnerabilities.

Security at a glance

  • TLS everywhere — ingest and dashboard traffic over HTTPS only.
  • Masking before storage — passwords, tokens, cookies, and card-related keys become [MASKED]; optional maskFields adds more names.
  • Backend only — no visitor screen recordings; we do not sell your production payloads.

Security shapes how we handle events, credentials, and customer trust. This page is a high-level summary—not a certification or audit report. For SDK details see Security & masking docs.

Encryption in transit

Traffic uses TLS. Point SDKs and integrations at HTTPS endpoints only—never plain HTTP for ingest or dashboard traffic.

Masking & sensitive payloads

Masking runs on ingest—before events appear in timelines, exports, or replay sessions. Matching field values are replaced with [MASKED]. This is separate from your dashboard login security (2FA, API keys for ingest).

maskFields (SDK — optional)

Optional. Extra JSON/header field names to redact. A built-in sensitive-name list always runs first—you never disable it by leaving maskFields empty.

Example: maskFields: ['phone_number', 'national_id', 'patientId']

Built-in redacted field names (always on)

authorization · password · passwd · token · access_token · refresh_token · apiKey · api_key · secret · client_secret · cookie · set-cookie · cardNumber · card_number · cvv · otp

  • SDKs and ingest apply masking on the way in—before events land in timelines, exports, or replay sessions.
  • Field matching is case-insensitive; hyphens, underscores, and spaces are treated as equivalent (e.g. api_key ≈ apiKey).
  • Use maskFields only for extra names (phone_number, national_id, patientId). Defaults always apply even when maskFields is omitted.

What we capture vs never collect

Stored (after masking, when you instrument)

  • Backend API, webhook, queue, and worker events you explicitly instrument with the SDK or ingest API.
  • Request metadata you choose to send: route, method, status, latency, service name, environment, and correlation IDs.
  • Request/response bodies and headers after automatic masking (values replaced with [MASKED], not stored in clear text for matched keys).
  • Stack traces and structured steps so your team can replay and diff failures—not raw end-user browser sessions.

Never collected

  • End-user mouse clicks, screen recordings, or front-end DOM snapshots (ReplayStack is backend observability, not session replay for visitors).
  • Passwords, bearer tokens, cookies, or API secrets in clear text—matching field names are redacted before storage.
  • Full payment card numbers or CVV values when field names match our built-in list (add custom names with maskFields if your schema differs).
  • Arbitrary files, databases, or infrastructure metrics unless your integration sends them as part of an event payload.
  • Selling or renting your production payloads to advertisers or data brokers.

For privacy rights on account data, see our Privacy Policy.

Report an issue

Found a vulnerability? Email hello@replaystack.co with Security in the subject (or use the same wording in the body) and what you found plus how to reproduce—we will triage and respond as quickly as we can.