Hawk provides the most comprehensive data on your user’s experience possible. However, some data is sensitive; for instance, customer credit card numbers, user passwords or social security numbers. You may be under ethical or legal obligations not to obtain sensitive data, and Hawk is designed to facilitate that.
Data that has been marked as sensitive will not be transmitted by Hawk.
Note: This data is only hidden from Hawk. Your website’s own traffic is unmodified.
Automatically Ignored Data
Hawk automatically ignores certain data. For example, we don’t capture the value of <input type="password">
or <input autocomplete="cc-number">
fields, and when we capture fetch
or XHR
errors, we mask JSON properties with password
in their name.
For a complete list of the data that we ignore by default, see here.
JSON Web Tokens
If you use JSON Web Tokens, we’ll decode them client-side and include that data in error reports. This enables you to debug the token that was used in the request, without worrying about misuse of the JWT. Hawk never receives a “raw” JWT that could be used to impersonate a user.
Specifying Sensitive Data to Hide
Navigate to the Site Settings page and select the Sensitive Data tab.

Request & Response Headers
If the sensitive data is contained in a request or response header, enter the name of the header in the appropriate field. The names are compared case-insensitively to the header names we see on your network traffic.
x-token
matches X-Token
, but not x-token-our-site
Request & Reponse Body
We use dot syntax to identify particular fields within request and response bodies. The comparison is case sensitive. Only JSON and application/x-www-form-urlencoded
bodies are supported.
- Entering a string without any dots (like
xyz
) will match any field with that name, no matter how deeply nested it is in the body. - Use a dot (like
xyz.abc
) to specify a field on a particular object: in this case, only theabc
field of thexyz
object will be hidden. Thexyz
object could be anywhere in the body. - Use a number (like
xyz.2.abc
) to specify a position within an array: in this case, theabc
field on the third object in thexyz
array will be hidden.
DOM Elements
To identify elements within the DOM, we use document.querySelectorAll()
; the syntax should be familiar from CSS or jQuery.
html
, head
or body
elements will not work.- If the selected element is an
<input>
, we’ll hide its value. - If the selected element is a
<select>
, we’ll hide the options as well as which option is selected. - For other elements, we’ll hide any text inside the element.
How We Hide Data
- Numbers: If the value is a numeric JavaScript data type, we replace every digit with a
1
.Example:12345.67
becomes11111.11
- JWT: If the value is a JWT, we replace it with
JWT({contents of JWT})
.Example:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd...
becomesJWT({"sub": "1234567890", "name": "John Doe", "iat": 1516239022})
- Strings containing numbers: If the value is a string, but we expect it to contain only numbers (as with credit card numbers or social security numbers), we replace every digit with a
•
and leave all other characters intact. This is so that developers using Hawk to debug their applications can see whether a complete value was entered, without transmitting that value.Example:123-45-6789
becomes•••-••-••••
and123-4X-XXXX
becomes•••-•X-XXXX
- Alphanumeric strings: If the value is a string we expect to be alphanumeric (as with a password hint or a password), we replace every character with a
•
except for the following:- space
- tab
- newline (\n)
- carriage return (\r)
- hyphen
- dot
- underscore