Sensitive Data Protect your users' information

Hawk provides the most comprehensive data on your user’s experience possible. However, some data is sensitive; for instance, customer credit card numbers, user passwords or social security numbers. You may be under ethical or legal obligations not to obtain sensitive data, and Hawk is designed to facilitate that.

Data that has been marked as sensitive will not be transmitted by Hawk.

Note: This data is only hidden from Hawk. Your website’s own traffic is unmodified.

Automatically Ignored Data

Hawk automatically ignores certain data. For example, we don’t capture the value of <input type="password"> or <input autocomplete="cc-number"> fields, and when we capture fetch or XHR errors, we mask JSON properties with password in their name.
For a complete list of the data that we ignore by default, see here.

JSON Web Tokens

If you use JSON Web Tokens, we’ll decode them client-side and include that data in error reports. This enables you to debug the token that was used in the request, without worrying about misuse of the JWT. Hawk never receives a “raw” JWT that could be used to impersonate a user.

Specifying Sensitive Data to Hide

Navigate to the Site Settings page and select the Sensitive Data tab.

Sensitive Data
Hawk Settings: Sensitive Data
Request & Response Headers

If the sensitive data is contained in a request or response header, enter the name of the header in the appropriate field. The names are compared case-insensitively to the header names we see on your network traffic.

Request & Reponse Body

We use dot syntax to identify particular fields within request and response bodies. The comparison is case sensitive. Only JSON and application/x-www-form-urlencoded bodies are supported.

  • Entering a string without any dots (like xyz) will match any field with that name, no matter how deeply nested it is in the body.
  • Use a dot (like to specify a field on a particular object: in this case, only the abc field of the xyz object will be hidden. The xyz object could be anywhere in the body.
  • Use a number (like to specify a position within an array: in this case, the abc field on the third object in the xyz array will be hidden.
DOM Elements

To identify elements within the DOM, we use document.querySelectorAll(); the syntax should be familiar from CSS or jQuery.

  • If the selected element is an <input>, we’ll hide its value.
  • If the selected element is a <select>, we’ll hide the options as well as which option is selected.
  • For other elements, we’ll hide any text inside the element.
How We Hide Data
  • Numbers: If the value is a numeric JavaScript data type, we replace every digit with a 1.
  • JWT: If the value is a JWT, we replace it with JWT({contents of JWT}).
  • Strings containing numbers: If the value is a string, but we expect it to contain only numbers (as with credit card numbers or social security numbers), we replace every digit with a and leave all other characters intact. This is so that developers using Hawk to debug their applications can see whether a complete value was entered, without transmitting that value.
  • Alphanumeric strings: If the value is a string we expect to be alphanumeric (as with a password hint or a password), we replace every character with a except for the following:
    • space
    • tab
    • newline (\n)
    • carriage return (\r)
    • hyphen
    • dot
    • underscore

Did you find this article helpful?