Skip to content

feat(javascript): Add "Data Collected" #13527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 30, 2025
Merged

feat(javascript): Add "Data Collected" #13527

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
356dcbf
feat(javascript): Add "Data Collected"
s1gr1d Apr 28, 2025
75184b3
add context lines; fix broken links
s1gr1d Apr 28, 2025
5d24e9e
fix 404
s1gr1d Apr 29, 2025
f07b43a
fix 404
s1gr1d Apr 29, 2025
9fe3d5b
review suggestions
s1gr1d Apr 30, 2025
9361a13
review suggestions
s1gr1d Apr 30, 2025
2fd0142
fix 404
s1gr1d Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/platforms/javascript/common/configuration/integrations/vercelai.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ supported:
- javascript.electron
- javascript.nextjs
- javascript.nuxt
- javascript.solidstart
- javascript.sveltekit
- javascript.react-router
- javascript.remix
- javascript.astro
- javascript.bun
Expand Down
117 changes: 117 additions & 0 deletions docs/platforms/javascript/common/data-management/data-collected/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
---
title: Data Collected
description: "See what data is collected by the Sentry SDK."
sidebar_order: 1
---

Sentry takes data privacy very seriously and has default settings in place that prioritize data safety, especially when it comes to personally identifiable information (PII) data. When you add the Sentry SDK to your application, you allow it to collect data and send it to Sentry during the runtime of your application.

The category types and amount of data collected vary, depending on the integrations you've enabled in the Sentry SDK. This page lists data categories that the Sentry Android SDK collects.

Many of the categories listed here require you to enable the <PlatformLink to="/configuration/options/#sendDefaultPii">sendDefaultPii option</PlatformLink>.

## HTTP Headers

By default, the Sentry SDK doesn't send any HTTP response or request headers.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this isn't entirely true, right? IIRC from your PR, it's true for browser but in Node we always send headers? If so, let's maybe only show this for browser JS?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah this is currently not true but I was already writing the optimistic version of the docs for after my PR is merged :D

But since we don't filter sending the HTTP headers I'll rewrite this


To start sending HTTP headers, set <PlatformLink to="/configuration/options/#sendDefaultPii">`sendDefaultPii: true`</PlatformLink>.

## Cookies

By default, the Sentry SDK doesn't send cookies. Sentry tries to remove any cookies that contain sensitive information, such as the Session ID and CSRF Token cookies in Django.

If you want to send cookies, set `sendDefaultPii: true` in the `Sentry.init()` call. This will send the cookie headers `Cookie` and `Set-Cookie` from fetch and XHR requests.

## Information About Logged-in User

By default, the Sentry SDK doesn't send any information about the logged-in user, such as email address, user ID, or username. Even if enabled, the type of logged-in user information you'll be able to send depends on the integrations you enable in Sentry's SDK. Most integrations won't send any user information. Some will only set the user ID, but there are a few (e.g. <PlatformLink to="/user-feedback/">User Feedback</PlatformLink>) that will set the user ID, username, and email address.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

even if enabled

if what is enabled -- sendDefaultPii?

Some will only set the user ID

I'm curious myself now, which ones? 😅

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's bad wording 🙈
It basically depends on what the user provides in the object. I'm going to re-write this all 😅


To start sending logged-in user information, set <PlatformLink to="/configuration/options/#sendDefaultPii">`sendDefaultPii: true`</PlatformLink> in your `Sentry.init({})` config.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm maybe I'm missing something but wouldn't I have to use setUser to actually set user data? Other than that, there's IP inferral and stuff but this is explained in the section below


## Users' IP Address and Location

By default, the Sentry SDK doesn't send the user's IP address.

To enable sending the user's IP address and infer the location, set <PlatformLink to="/configuration/options/#sendDefaultPii">`sendDefaultPii: true`</PlatformLink>. In some integrations such as <PlatformLink to="/guides/astro/#customize-server-instrumentation">`handleRequest`</PlatformLink> in Astro, you can send the user's IP address by enabling `trackClientIp`.

If sending the IP address is enabled we will try to infer the IP address or use the IP address provided by `ip_address` in <PlatformLink to="/apis/#setUser">`Sentry.setUser()`</PlatformLink>. If you set `ip_address: null`, the IP address won't be inferred.

## Request URL

The full request URL of outgoing and incoming HTTP requests is **always sent to Sentry**. Depending on your application, this could contain PII data. For example, a URL like `/users/1234/details`, where `1234` is a user id (which may be considered PII).

## Request Query String

The full request query string of outgoing and incoming HTTP requests is **always sent to Sentry**. Depending on your application, this could contain PII data.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

two things:

l: let's add an example for a query param (and maybe also fragment?), just so that everyone understands what we're referring to

m: AFAIK we apply server-side PII scrubbing to the URL query and fragment fields. This doesn't change the fact that we send the data but maybe it's worth mentioning? I guess we do this on a lot of fields mentioned on this page in general, so instead of mentioning it here specifically, we could write a short section about it and link to the docs.

## Request Body
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this apply to all requests we collect (everywhere)?

I'd specifically mention if this applies to incoming or outgoing requests because I think there's different behaviour, right?


- **The type of the request body:**
- JSON and HTML Form bodies are sent
- **The size of the request body:** There's a <PlatformLink to="/configuration/options/#max-request-body-size">maxRequestBodySize</PlatformLink> option that's set to `NONE` by default. This means by default no request body is sent to Sentry.

## Response Body

By default, the Sentry SDK doesn't send the content of response bodies. By default, the SDK will send the response body size based on the `content-length` header.

## Source Context

By default, using the Sentry CLI Wizard will enable uploading source maps to Sentry.

To disable source map upload, see <PlatformLink to="/sourcemaps">the Source Maps documentation</PlatformLink>.

## Local Variables In Stack Trace

By default, the Sentry SDK will not send local variables in the error stack trace in client-side JavaScript SDKs.

<PlatformSection notSupported={["javascript", "javascript.angular", "javascript.ember", "javascript.react", "javascript.solid", "javascript.svelte", "javascript.vue"]}>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

l: I think you can use PlatformCategorySection to disable client-side SDKs here

You can enable sending local variables by setting `includeLocalVariables: true` in the `Sentry.init()` call. This activates the <PlatformLink to="/configuration/integrations/localvariables">Local Variables Integration</PlatformLink>. The integration is added by default in Node.js-based runtimes.
</PlatformSection>

## Device, Browser, OS and Runtime Information

By default, the Sentry SDK sends information about the device and runtime to Sentry.

In browser environments, this information is obtained by the User Agent string. The User Agent string contains information about the browser, operating system, and device type.

In server-side environments, the Sentry SDK uses the `os` module to get information about the operating system and architecture.

<PlatformSection notSupported={["javascript.node", "javascript.aws-lambda", "javascript.azure-functions", "javascript.connect", "javascript.express", "javascript.fastify", "javascript.gcp-functions", "javascript.hapi", "javascript.hono", "javascript.koa", "javascript.nestjs", "javascript.wasm"]}>
## Referrer URL

By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page.

## Session Replay

By default, our Session Replay SDK masks all text content, images, web views, and user input. This helps ensure that no sensitive data is exposed. You can find <PlatformLink to="/session-replay/privacy/">more details in the Session Replay documentation</PlatformLink>.

## Console Logs

By default, the Sentry SDK sends JS console logs to Sentry which may contain PII data.

To disable sending console messages, set `console: false` in your `Sentry.breadcrumbsIntegration` config, see <PlatformLink to="/configuration/integrations/breadcrumbs/">the Breadcrumbs documentation</PlatformLink>.

</PlatformSection>

<PlatformSection notSupported={["javascript", "javascript.angular", "javascript.ember", "javascript.react", "javascript.solid", "javascript.svelte", "javascript.vue", "javascript.wasm"]}>
## Database Queries

By default, the Sentry SDK sends SQL queries to Sentry. The SQL queries can include PII information if the statement is not parametrized.

MongoDB queries are sent as well, but the Sentry SDK will not send the full MongoDB query. Instead, it will send a parameterized version of the query.

## LLM Inputs And Responses

When using the <PlatformLink to="/configuration/integrations/vercelai/">Vercel AI Integration</PlatformLink>, the used prompt is sent to Sentry along with meta data like model ID and used tokens. Check out the full list of attributes [in the code](https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/integrations/tracing/vercelai/index.ts).

## tRPC Context

By default, the Sentry SDK doesn't send tRPC input from the tRPC context.

If you want to send the tRPC input you can enable it by setting `sendDefaultPii: true` in the `Sentry.init()` call or by setting `attachRpcInput: true` in the `Sentry.trpcMiddleware()` options.

## Stack Trace Context Lines

By default, the <PlatformLink to="/configuration/integrations/contextlines/">Context Lines Integration</PlatformLink> is enabled. This integration sends the surrounding lines of code for each frame in the stack trace. This can include PII data if the code contains PII information.

</PlatformSection>
Loading