Default Data Masking User data we hide by default

(This article is a list of user data that Hawk’s data masking hides by default. For a comprehensive overview of our robust custom data masking feature, see here.)

Note: Data masking only hides data from Hawk. Your website’s own traffic is unmodified.

We hide the values of these elements:

<input type="password">
<input> and <textarea> that match:
  • placeholder attribute (all case-insensitive)
    • contains: “social security number”
    • contains: “card number”
    • equals: “CVC”
    • equals: “CVV”
    • equals: “CVC2”
    • equals: “CVV2”
    • equals: “CSC”
  • name, id or ng-model attribute that matches (after removing the text “confirm”, if present) these regexes:
    • /\bssn\d*\b/i
    • /\bsocialsecuritynumber\d*\b/i
    • /\bcv[cv]\d*\b/i
    • /\bcsc\b/i
    • /\bcardnum(?:ber)?\b/i
    • /\bcreditcardnum(?:ber)?\b/i
  • autocomplete attribute that equals any of
    • cc-number
    • cc-csc
    • cc-exp
    • cc-exp-month
    • cc-exp-year

Default data masking in XHR and Fetch error reports:

Request & response headers where the name matches:
  • /password/i
  • /\bssn\d*\b/i
  • /\bsocialsecuritynumber\d*\b/i
  • /\bcv[cv]\d*\b/i
  • /\bcsc\b/i
  • /\bcardnum(?:ber)?\b/i
  • /\bcreditcardnum(?:ber)?\b/i
If the request or response body is either:
  • Valid JSON
  • Valid JSON with the string )]}' prepended.
  • Or the content-type header is application/x-www-form-urlencoded and the body is url-encoded form data
Then we hide the values of any fields that match:
  • /password/i
  • /\bssn\d*\b/i
  • /\bsocialsecuritynumber\d*\b/i
  • /\bcv[cv]\d*\b/i
  • /\bcsc\b/i
  • /\bcardnum(?:ber)?\b/i
  • /\bcreditcardnum(?:ber)?\b/i

In page URLs:

The query string parameters of URLs are processed according to the same rules as XHR and Fetch error reports, described above.


Did you find this article helpful?