Scrubbing Sensitive Data

As with any third-party service it’s important to understand what data is being sent to Sentry, and where relevant ensure sensitive data either never reaches the Sentry servers, or at the very least it doesn’t get stored. We recommend filtering or scrubbing sensitive data within the SDK, so that data is not sent with the event, and also configuring server-side scrubbing to ensure the data is not stored.

There are two great examples for data scrubbing that every company should think about:

  • PII (Personally Identifiable Information) such as a user's name or email address, which post-GDPR should be on every company's mind.
  • Authentication credentials, like your AWS password or key.
  • Confidential IP (Intellectual Property), such as your favorite color, or your upcoming plans for world domination.

Personally Identifiable Information (PII)

Our newer SDKs do not purposefully send PII to stay on the safe side. This behavior is controlled by an option called send-default-pii.

Turning this option on is required for certain features in Sentry to work, but also means you will need to be even more careful about what data is being sent to Sentry (using the options below).

If you do not wish to use the default PII behavior, you can also choose to identify users in a more controlled manner, using our user identity context.

Scrubbing Data

SDKs provide a before-send hook, which is invoked before an event is sent and can be used to modify event data to remove sensitive information. Using before-send in the SDKs to scrub any data before it is sent is the recommended scrubbing approach, so sensitive data never leaves the local environment.

A BiFunction<SentryEvent, Object, SentryEvent> can be used to mutate, discard (return null), or return a completely new event.

Copied
import io.sentry.Sentry;

Sentry.init(
  options -> {
    options.setBeforeSend(
      (event, hint) -> {
        // Modify the event here:
        event.setServerName(null); // Don't send server names.
        return event;
      });
  });

When using the Spring Boot integration, beforeSend, it can be registered simply by creating a Spring bean implementing the BeforeSendCallback. See our documentation for Advanced Usage of the Spring Boot integration for more details.

There's a few areas you should consider that sensitive data may appear:

  • Stack-locals → some SDKs (Python + PHP), will pick up variable values within the stacktrace. This can be scrubbed or disabled altogether, if necessary
  • Breadcrumbs → some SDKs (for example, JavaScript, Java logging integrations) will pick up previously executed log statements. Do not log PII if using this feature and including log statements as breadcrumbs in the event. Some backend SDKs will surface DB queries which may need to be scrubbed
  • User context → automated behavior is controlled via send-default-pii
  • HTTP context → query strings may be picked up in some frameworks as part of the HTTP request context

For more details, see Filtering Events.

Examples

Contextual information

Instead of sending confidential information in plaintext, considering hashing it:

Copied
import io.sentry.Sentry;

Sentry.configureScope(scope -> {
    scope.setTag("birthday", checksumOrHash("08/12/1990");
});

This will allow you to correlate it within internal systems if needed, but keep it confidential from Sentry.

User details

Your organization may determine that emails are not considered confidential, but if they are, consider instead sending your internal identifier:

Copied
import io.sentry.Sentry;
import io.sentry.protocol.User;

Sentry.configureScope(scope -> {
    User user = new User();
    // User Id:
    user.setId(clientUser.getId());
    // Or Username:
    user.setUsername(clientUser.getUsername());
    scope.setUser(user);
});

Doing this will ensure you still benefit from user-impact related features.

Logging integrations

As a best practice you should always avoid logging confidential information. If you have legacy systems you need to work around, consider the following:

  • Anonymize the confidential information within the log statements (for example, swap out email addresses -> for internal identifiers)
  • Use beforeBreadcrumb to filter it out from breadcrumbs before it is attached
  • Disable logging breadcrumb integration (for example, as described [here] /platforms/javascript/#breadcrumbs-10)
You can edit this page on GitHub.