An important requirement when it comes to website logging is the ability to remove / obscure sensitive user data. According to the EU Data Protection Directive, “Personal data are defined as “any information relating to an identified or identifiable natural person”. Passwords and social security numbers are obviously sensitive and should not be stored remotely. And depending on country and applicable law, you may not be allowed to store data such as IP addresses, names or other user specific data in databases.
When using RootCause, we provide you with total control over what data gets logged. If you’re short on time, we built a demo for you to check out.
Obfuscating User Input
Web applications usually contain at least a couple of sensitive data input fields where the users enter data. To obfuscate this input prior to the logging, you can use the onBeforeLog method:
|
1 2 3 4 5 6 7 8 9 10 11 |
var logger = new RC.Logger({ captureScreenshot : true, onBeforeLog : function (logData) { // Obfuscate text logData.userActions.forEach(function(data) { if (data.action === 'type') { data.text = data.text.replace(/[a-zA-Z]/gi, 'X'); } }); }, ... |
The beforeLog method is called with a single parameter which is an object containing all the data of the user session. In this object we can access and process user actions, console activity, ajax request information before the data is sent to the server. In the sample above we simply replace all alphanumeric characters with X. You can see the effect in this video where an error session is played back.
Please note that manipulating what the user typed might obstruct the playback for a user session, depending on your application logic.
Hiding Data In Screenshots
Before a screenshot is captured by RootCause, it gives you the option to hide sensitive DOM elements such as password fields and credit number inputs. You can configure this behavior in two ways. The easiest way is to provide a CSS selector targeting your sensitive elements using the blackoutSelector
|
1 2 3 4 5 |
var logger = new RC.Logger({ captureScreenshot : true, blackoutSelector : '[type=password], #cc-input', ... }); |
The second option is to use the onBeforeScreenshot and onAfterScreenshot methods to prepare the DOM for the screenshot. Simple example below:
|
1 2 3 4 5 6 7 8 9 10 |
var logger = new RC.Logger({ captureScreenshot : true, onBeforeScreenshot : function() { document.getElementById('secretElement').style.display = 'none'; }, onAfterScreenshot : function() { document.getElementById('secretElement').style.display = 'block'; } ... }); |
On-premises – Run RootCause on your own private server
Sometimes, even the measures described above aren’t enough. Some countries don’t allow user data to be stored outside its borders. For this scenario we provide an on-premises version allowing you to run your own local installation of RootCause. To get more information and a free trial, please send us a message and we’ll assist you as soon as we can.
Leave a Reply