From 356dcbfafd4a94c4aaa249e958279eb97b4cb289 Mon Sep 17 00:00:00 2001 From: s1gr1d Date: Mon, 28 Apr 2025 13:52:12 +0200 Subject: [PATCH 1/7] feat(javascript): Add "Data Collected" --- .../data-management/data-collected/index.mdx | 113 ++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 docs/platforms/javascript/common/data-management/data-collected/index.mdx diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx new file mode 100644 index 0000000000000..e81184a3c9052 --- /dev/null +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -0,0 +1,113 @@ +--- +title: Data Collected +description: "See what data is collected by the Sentry SDK." +sidebar_order: 1 +--- + +Sentry takes data privacy very seriously and has default settings in place that prioritize data safety, especially when it comes to personally identifiable information (PII) data. When you add the Sentry SDK to your application, you allow it to collect data and send it to Sentry during the runtime of your application. + +The category types and amount of data collected vary, depending on the integrations you've enabled in the Sentry SDK. This page lists data categories that the Sentry Android SDK collects. + +Many of the categories listed here require you to enable the sendDefaultPii option. + +## HTTP Headers + +By default, the Sentry SDK doesn't send any HTTP response or request headers. + +To start sending HTTP headers, set `sendDefaultPii: true`. + +## Cookies + +By default, the Sentry SDK doesn't send cookies. Sentry tries to remove any cookies that contain sensitive information, such as the Session ID and CSRF Token cookies in Django. + +If you want to send cookies, set `sendDefaultPii: true` in the `Sentry.init()` call. This will send the cookie headers `Cookie` and `Set-Cookie` from fetch and XHR requests. + +## Information About Logged-in User + +By default, the Sentry SDK doesn't send any information about the logged-in user, such as email address, user ID, or username. Even if enabled, the type of logged-in user information you'll be able to send depends on the integrations you enable in Sentry's SDK. Most integrations won't send any user information. Some will only set the user ID, but there are a few (e.g. User Feedback) that will set the user ID, username, and email address. + +To start sending logged-in user information, set `sendDefaultPii: true` in your `Sentry.init({})` config. + +## Users' IP Address and Location + +By default, the Sentry SDK doesn't send the user's IP address. + +To enable sending the user's IP address and infer the location, set `sendDefaultPii: true`. In some integrations such as `handleRequest` in Astro, you can send the user's IP address by enabling `trackClientIp`. + +If sending the IP address is enabled we will try to infer the IP address or use the IP address provided by `ip_address` in `Sentry.setUser()`. If you set `ip_address: null`, the IP address won't be inferred. + +## Request URL + +The full request URL of outgoing and incoming HTTP requests is **always sent to Sentry**. Depending on your application, this could contain PII data. For example, a URL like `/users/1234/details`, where `1234` is a user id (which may be considered PII). + +## Request Query String + +The full request query string of outgoing and incoming HTTP requests is **always sent to Sentry**. Depending on your application, this could contain PII data. + +## Request Body + +- **The type of the request body:** + - JSON and HTML Form bodies are sent +- **The size of the request body:** There's a maxRequestBodySize option that's set to `NONE` by default. This means by default no request body is sent to Sentry. + +## Response Body + +By default, the Sentry SDK doesn't send the content of response bodies. By default, the SDK will send the response body size based on the `content-length` header. + +## Source Context + +By default, using the Sentry CLI Wizard will enable uploading source maps to Sentry. + +To disable source map upload, see the Source Maps documentation. + +## Local Variables In Stack Trace + +By default, the Sentry SDK will not send local variables in the error stack trace in client-side JavaScript SDKs. + + + You can enable sending local variables by setting `includeLocalVariables: true` in the `Sentry.init()` call. This activates the Local Variables Integration. The integration is added by default in Node.js-based runtimes. + + +## Device, Browser, OS and Runtime Information + +By default, the Sentry SDK sends information about the device and runtime to Sentry. + +In browser environments, this information is obtained by the User Agent string. The User Agent string contains information about the browser, operating system, and device type. + +In server-side environments, the Sentry SDK uses the `os` module to get information about the operating system and architecture. + + + ## Referrer URL + + By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page. + + ## Session Replay + + By default, our Session Replay SDK masks all text content, images, web views, and user input. This helps ensure that no sensitive data is exposed. You can find more details in the Session Replay documentation. + + ## Console Logs + + By default, the Sentry SDK sends JS console logs to Sentry which may contain PII data. + + To disable sending console messages, set `console: false` in your `Sentry.breadcrumbsIntegration` config, see the Breadcrumbs documentation. + + + + + ## Database Queries + + By default, the Sentry SDK sends SQL queries to Sentry. The SQL queries can include PII information if the statement is not parametrized. + + MongoDB queries are sent as well, but the Sentry SDK will not send the full MongoDB query. Instead, it will send a parameterized version of the query. + + ## LLM Inputs And Responses + + When using the Vercel AI Integration, the used prompt is sent to Sentry along with meta data like model ID and used tokens. Check out the full list of attributes [in the code](https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/integrations/tracing/vercelai/index.ts). + + ## tRPC Context + + By default, the Sentry SDK doesn't send tRPC input from the tRPC context. + + If you want to send the tRPC input you can enable it by setting `sendDefaultPii: true` in the `Sentry.init()` call or by setting `attachRpcInput: true` in the `Sentry.trpcMiddleware()` options. + + From 75184b3ee4bc4d312c971d4877ab86ba77bb5ada Mon Sep 17 00:00:00 2001 From: s1gr1d Date: Mon, 28 Apr 2025 16:57:06 +0200 Subject: [PATCH 2/7] add context lines; fix broken links --- .../common/configuration/integrations/vercelai.mdx | 2 ++ .../common/data-management/data-collected/index.mdx | 10 +++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/platforms/javascript/common/configuration/integrations/vercelai.mdx b/docs/platforms/javascript/common/configuration/integrations/vercelai.mdx index 2a51604ba78e1..0866ad0f95088 100644 --- a/docs/platforms/javascript/common/configuration/integrations/vercelai.mdx +++ b/docs/platforms/javascript/common/configuration/integrations/vercelai.mdx @@ -16,7 +16,9 @@ supported: - javascript.electron - javascript.nextjs - javascript.nuxt + - javascript.solidstart - javascript.sveltekit + - javascript.react-router - javascript.remix - javascript.astro - javascript.bun diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index e81184a3c9052..e4d0920c8ab32 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -76,7 +76,7 @@ In browser environments, this information is obtained by the User Agent string. In server-side environments, the Sentry SDK uses the `os` module to get information about the operating system and architecture. - + ## Referrer URL By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page. @@ -89,11 +89,11 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat By default, the Sentry SDK sends JS console logs to Sentry which may contain PII data. - To disable sending console messages, set `console: false` in your `Sentry.breadcrumbsIntegration` config, see the Breadcrumbs documentation. + To disable sending console messages, set `console: false` in your `Sentry.breadcrumbsIntegration` config, see the Breadcrumbs documentation. - + ## Database Queries By default, the Sentry SDK sends SQL queries to Sentry. The SQL queries can include PII information if the statement is not parametrized. @@ -110,4 +110,8 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat If you want to send the tRPC input you can enable it by setting `sendDefaultPii: true` in the `Sentry.init()` call or by setting `attachRpcInput: true` in the `Sentry.trpcMiddleware()` options. + ## Stack Trace Context Lines + + By default, the Context Lines Integration is enabled. This integration sends the surrounding lines of code for each frame in the stack trace. This can include PII data if the code contains PII information. + From 5d24e9e72363af24eca17b18f81f529aa8bd0bb0 Mon Sep 17 00:00:00 2001 From: s1gr1d Date: Tue, 29 Apr 2025 15:28:54 +0200 Subject: [PATCH 3/7] fix 404 --- .../data-management/data-collected/index.mdx | 30 +++++++++++-------- 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index e4d0920c8ab32..2b3fca3303a26 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -2,6 +2,8 @@ title: Data Collected description: "See what data is collected by the Sentry SDK." sidebar_order: 1 +notSupported: + - javascript.electron --- Sentry takes data privacy very seriously and has default settings in place that prioritize data safety, especially when it comes to personally identifiable information (PII) data. When you add the Sentry SDK to your application, you allow it to collect data and send it to Sentry during the runtime of your application. @@ -64,7 +66,7 @@ To disable source map upload, see the Source Maps By default, the Sentry SDK will not send local variables in the error stack trace in client-side JavaScript SDKs. - + You can enable sending local variables by setting `includeLocalVariables: true` in the `Sentry.init()` call. This activates the Local Variables Integration. The integration is added by default in Node.js-based runtimes. @@ -76,14 +78,16 @@ In browser environments, this information is obtained by the User Agent string. In server-side environments, the Sentry SDK uses the `os` module to get information about the operating system and architecture. - - ## Referrer URL + + + ## Session Replay - By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page. + By default, our Session Replay SDK masks all text content, images, web views, and user input. This helps ensure that no sensitive data is exposed. You can find more details in the Session Replay documentation. + - ## Session Replay + ## Referrer URL - By default, our Session Replay SDK masks all text content, images, web views, and user input. This helps ensure that no sensitive data is exposed. You can find more details in the Session Replay documentation. + By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page. ## Console Logs @@ -93,7 +97,13 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat - + + + ## Stack Trace Context Lines + + By default, the Context Lines Integration is enabled. This integration sends the surrounding lines of code for each frame in the stack trace. This can include PII data if the code contains PII information. + + ## Database Queries By default, the Sentry SDK sends SQL queries to Sentry. The SQL queries can include PII information if the statement is not parametrized. @@ -108,10 +118,6 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat By default, the Sentry SDK doesn't send tRPC input from the tRPC context. - If you want to send the tRPC input you can enable it by setting `sendDefaultPii: true` in the `Sentry.init()` call or by setting `attachRpcInput: true` in the `Sentry.trpcMiddleware()` options. - - ## Stack Trace Context Lines - - By default, the Context Lines Integration is enabled. This integration sends the surrounding lines of code for each frame in the stack trace. This can include PII data if the code contains PII information. + If you want to send the tRPC input you can enable it by setting `sendDefaultPii: true` in the `Sentry.init()` call or by setting `attachRpcInput: true` in the `Sentry.trpcMiddleware()` options. From f07b43a5dc09fb54c8382c7e0605816edccf2ec8 Mon Sep 17 00:00:00 2001 From: s1gr1d Date: Tue, 29 Apr 2025 15:54:02 +0200 Subject: [PATCH 4/7] fix 404 --- .../data-management/data-collected/index.mdx | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index 2b3fca3303a26..54d36dcd5f812 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -66,7 +66,7 @@ To disable source map upload, see the Source Maps By default, the Sentry SDK will not send local variables in the error stack trace in client-side JavaScript SDKs. - + You can enable sending local variables by setting `includeLocalVariables: true` in the `Sentry.init()` call. This activates the Local Variables Integration. The integration is added by default in Node.js-based runtimes. @@ -78,7 +78,7 @@ In browser environments, this information is obtained by the User Agent string. In server-side environments, the Sentry SDK uses the `os` module to get information about the operating system and architecture. - + ## Session Replay @@ -97,22 +97,25 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat - + ## Stack Trace Context Lines By default, the Context Lines Integration is enabled. This integration sends the surrounding lines of code for each frame in the stack trace. This can include PII data if the code contains PII information. - ## Database Queries + + ## LLM Inputs And Responses - By default, the Sentry SDK sends SQL queries to Sentry. The SQL queries can include PII information if the statement is not parametrized. + When using the Vercel AI Integration, the used prompt is sent to Sentry along with meta data like model ID and used tokens. Check out the full list of attributes [in the code](https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/integrations/tracing/vercelai/index.ts). - MongoDB queries are sent as well, but the Sentry SDK will not send the full MongoDB query. Instead, it will send a parameterized version of the query. + ## Database Queries - ## LLM Inputs And Responses + By default, the Sentry SDK sends SQL queries to Sentry. The SQL queries can include PII information if the statement is not parametrized. - When using the Vercel AI Integration, the used prompt is sent to Sentry along with meta data like model ID and used tokens. Check out the full list of attributes [in the code](https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/integrations/tracing/vercelai/index.ts). + MongoDB queries are sent as well, but the Sentry SDK will not send the full MongoDB query. Instead, it will send a parameterized version of the query. + + ## tRPC Context From 9fe3d5b3d8517ad7cdc08e7332dab863f26424b8 Mon Sep 17 00:00:00 2001 From: s1gr1d Date: Wed, 30 Apr 2025 11:01:02 +0200 Subject: [PATCH 5/7] review suggestions --- .../data-management/data-collected/index.mdx | 34 ++++++++++++------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index 54d36dcd5f812..f2d0beb23b5fc 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -14,9 +14,7 @@ Many of the categories listed here require you to enable the `sendDefaultPii: true`. +By default, the Sentry SDK sends HTTP response or request headers. ## Cookies @@ -26,9 +24,9 @@ If you want to send cookies, set `sendDefaultPii: true` in the `Sentry.init()` c ## Information About Logged-in User -By default, the Sentry SDK doesn't send any information about the logged-in user, such as email address, user ID, or username. Even if enabled, the type of logged-in user information you'll be able to send depends on the integrations you enable in Sentry's SDK. Most integrations won't send any user information. Some will only set the user ID, but there are a few (e.g. User Feedback) that will set the user ID, username, and email address. +By default, the Sentry SDK doesn't send any information about the logged-in user, such as email address, user ID, or username. -To start sending logged-in user information, set `sendDefaultPii: true` in your `Sentry.init({})` config. +The type of logged-in user information you'll be able to send depends on the integrations you enable in Sentry's SDK. Most integrations won't send any user information. Some integrations (e.g. User Feedback) make it possible to send data like the user ID, username, and email address. ## Users' IP Address and Location @@ -44,27 +42,35 @@ The full request URL of outgoing and incoming HTTP requests is **always sent to ## Request Query String -The full request query string of outgoing and incoming HTTP requests is **always sent to Sentry**. Depending on your application, this could contain PII data. +The full request query string of outgoing and incoming HTTP requests is **always sent to Sentry**. Depending on your application, this could contain PII data. For example, a query string like `?user_id=1234`, where `1234` is a user id (which may be considered PII). + +However, Sentry has some default [server-side data scrubbing](/security-legal-pii/scrubbing/server-side-scrubbing/) in place to remove sensitive data from the query string. For example, the `apiKey` and `token` query parameters are removed by default. ## Request Body -- **The type of the request body:** - - JSON and HTML Form bodies are sent -- **The size of the request body:** There's a maxRequestBodySize option that's set to `NONE` by default. This means by default no request body is sent to Sentry. +By default, Sentry sends the size of the body content of incoming HTTP requests. This is inferred from the `content-length` header. Sentry does not send the request body itself on the client-side. + + + On the server-side, the incoming request body is captured by default. You can disable sending the incoming request body by configuring `ignoreIncomingRequestBody` in the HTTP Integration. + + + + If `sendDefaultPii` is enabled, you can send Form Data with `captureActionFormDataKeys` in the Remix server-side configuration. + ## Response Body -By default, the Sentry SDK doesn't send the content of response bodies. By default, the SDK will send the response body size based on the `content-length` header. +By default, the Sentry SDK doesn't send the body content of responses received from outgoing requests. By default, the SDK will send the response body size based on the `content-length` header. ## Source Context -By default, using the Sentry CLI Wizard will enable uploading source maps to Sentry. +By default, SDKs set up by the Sentry CLI Wizard (`@sentry/wizard`) will enable uploading source maps to Sentry. To disable source map upload, see the Source Maps documentation. ## Local Variables In Stack Trace -By default, the Sentry SDK will not send local variables in the error stack trace in client-side JavaScript SDKs. +The Sentry SDK does not send local variables in the error stack trace in client-side JavaScript SDKs. You can enable sending local variables by setting `includeLocalVariables: true` in the `Sentry.init()` call. This activates the Local Variables Integration. The integration is added by default in Node.js-based runtimes. @@ -83,6 +89,8 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat ## Session Replay By default, our Session Replay SDK masks all text content, images, web views, and user input. This helps ensure that no sensitive data is exposed. You can find more details in the Session Replay documentation. + + Session Replay also captures basic information about all outgoing fetch and XHR requests in your application. This includes the URL, request and response body size, method, and status code. If `networkDetailAllowUrls` are defined, the request and response body will be sent to Sentry as well. This can include PII data if the request or response body contains PII information. ## Referrer URL @@ -91,7 +99,7 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat ## Console Logs - By default, the Sentry SDK sends JS console logs to Sentry which may contain PII data. + By default, the Sentry SDK sends JS console logs to Sentry as breadcrumbs which may contain PII data. To disable sending console messages, set `console: false` in your `Sentry.breadcrumbsIntegration` config, see the Breadcrumbs documentation. From 9361a1380aa1b37fffcc0879d1029e487de844bb Mon Sep 17 00:00:00 2001 From: s1gr1d Date: Wed, 30 Apr 2025 12:18:37 +0200 Subject: [PATCH 6/7] review suggestions --- .../data-management/data-collected/index.mdx | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index f2d0beb23b5fc..2d0f8174aef1b 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -6,9 +6,9 @@ notSupported: - javascript.electron --- -Sentry takes data privacy very seriously and has default settings in place that prioritize data safety, especially when it comes to personally identifiable information (PII) data. When you add the Sentry SDK to your application, you allow it to collect data and send it to Sentry during the runtime of your application. +Sentry takes data privacy very seriously and has default settings in place that prioritize data safety, especially when it comes to personally identifiable information (PII) data. When you add the Sentry SDK to your application, you allow it to collect data and send it to Sentry during the runtime and build time of your application. -The category types and amount of data collected vary, depending on the integrations you've enabled in the Sentry SDK. This page lists data categories that the Sentry Android SDK collects. +The category types and amount of data collected vary, depending on the integrations you've enabled in the Sentry SDK. This page lists data categories that the Sentry JavaScript SDK collects. Many of the categories listed here require you to enable the sendDefaultPii option. @@ -18,7 +18,7 @@ By default, the Sentry SDK sends HTTP response or request headers. ## Cookies -By default, the Sentry SDK doesn't send cookies. Sentry tries to remove any cookies that contain sensitive information, such as the Session ID and CSRF Token cookies in Django. +By default, the Sentry SDK doesn't send cookies. If you want to send cookies, set `sendDefaultPii: true` in the `Sentry.init()` call. This will send the cookie headers `Cookie` and `Set-Cookie` from fetch and XHR requests. @@ -91,11 +91,9 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat By default, our Session Replay SDK masks all text content, images, web views, and user input. This helps ensure that no sensitive data is exposed. You can find more details in the Session Replay documentation. Session Replay also captures basic information about all outgoing fetch and XHR requests in your application. This includes the URL, request and response body size, method, and status code. If `networkDetailAllowUrls` are defined, the request and response body will be sent to Sentry as well. This can include PII data if the request or response body contains PII information. - - - ## Referrer URL - By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page. + Console messages are also captured by default in Session Replay. To scrub console messages, you can use the `beforeAddRecordingEvent` option to filter console messages before they are sent to Sentry. + ## Console Logs @@ -103,6 +101,10 @@ In server-side environments, the Sentry SDK uses the `os` module to get informat To disable sending console messages, set `console: false` in your `Sentry.breadcrumbsIntegration` config, see the Breadcrumbs documentation. + ## Referrer URL + + By default, the Sentry SDK sends the referrer URL to Sentry. This is the URL of the page that linked to the current page. + From 2fd01425c836aa46e3f83671c696c08cecb82475 Mon Sep 17 00:00:00 2001 From: s1gr1d Date: Wed, 30 Apr 2025 12:39:49 +0200 Subject: [PATCH 7/7] fix 404 --- .../javascript/common/data-management/data-collected/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index 2d0f8174aef1b..086552cbf2297 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -50,7 +50,7 @@ However, Sentry has some default [server-side data scrubbing](/security-legal-pi By default, Sentry sends the size of the body content of incoming HTTP requests. This is inferred from the `content-length` header. Sentry does not send the request body itself on the client-side. - + On the server-side, the incoming request body is captured by default. You can disable sending the incoming request body by configuring `ignoreIncomingRequestBody` in the HTTP Integration.