Scrubbing Sensitive Data
As with any third-party service it’s important to understand what data is being sent to Sentry, and where relevant ensure sensitive data either never reaches the Sentry servers, or at the very least it doesn’t get stored.
These are some great examples for data scrubbing that every company should think about:
- PII (Personally Identifiable Information) such as a user's name or email address, which post-GDPR should be on every company's mind.
- Authentication credentials, like your AWS password or key.
- Confidential IP (Intellectual Property), such as your favorite color, or your upcoming plans for world domination.
We offer the following options depending on your legal and operational needs:
- filtering or scrubbing sensitive data within the SDK, so that data is not sent to Sentry. Different SDKs have different capabilities, and configuration changes require a redeployment of your application.
- configuring server-side scrubbing to ensure Sentry does not store data. Configuration changes are done in the Sentry UI and apply immediately for new events.
- running a local Relay on your own server between the SDK and Sentry, so that data is not sent to Sentry while configuration can still be applied without deploying.
Ensure that your team is aware of your company's policy around what can and cannot be sent to Sentry. We recommend determining this policy early in your implementation and communicating it as well as enforcing it via code review.
If you are using Sentry in your mobile app, read our frequently asked questions about mobile data privacy to assist with Apple App Store and Google Play app privacy details.
If you do not wish to use the default PII behavior, you can also choose to identify users in a more controlled manner, using our user identity context.
Scrubbing Data
SDKs provide a before-send
hook, which is invoked before an event is sent and can be used to modify event data to remove sensitive information. Using before-send
in the SDKs to scrub any data before it is sent is the recommended scrubbing approach, so sensitive data never leaves the local environment.
Sentry.init do |config|
config.before_send = lambda do |event, hint|
# skip ZeroDivisionError exceptions
# note: hint[:exception] would be a String if you use async callback
if hint[:exception].is_a?(ZeroDivisionError)
nil
else
event
end
end
end
There's a few areas you should consider that sensitive data may appear:
- Stack-locals → some SDKs (Python + PHP), will pick up variable values within the stacktrace. This can be scrubbed or disabled altogether, if necessary
- Breadcrumbs → some SDKs (for example, JavaScript, Java logging integrations) will pick up previously executed log statements. Do not log PII if using this feature and including log statements as breadcrumbs in the event. Some backend SDKs will surface DB queries which may need to be scrubbed
- User context → automated behavior is controlled via
send-default-pii
- HTTP context → query strings may be picked up in some frameworks as part of the HTTP request context
For more details, see Filtering Events.
Examples
Contextual information
Instead of sending confidential information in plaintext, consider hashing it:
The platform or SDK you've selected either does not support this functionality, or it is missing from our documentation. Please use this code sample from JavaScript as a basis:
Sentry.setTag("birthday", checksumOrHash("08/12/1990"));
This will allow you to correlate it within internal systems if needed, but keep it confidential from Sentry.
User details
Your organization may determine that emails are not considered confidential, but if they are, consider instead sending your internal identifier:
The platform or SDK you've selected either does not support this functionality, or the code sample is missing from our documentation. Please use this code sample from JavaScript as a basis:
Sentry.setUser({ id: user.id });
// or
Sentry.setUser({ username: user.username });
Doing this will ensure you still benefit from user-impact related features.
Logging integrations
As a best practice you should always avoid logging confidential information. If you have legacy systems you need to work around, consider the following:
- Anonymize the confidential information within the log statements (for example, swap out email addresses -> for internal identifiers)
- Use
beforeBreadcrumb
to filter it out from breadcrumbs before it is attached - Disable logging breadcrumb integration (for example, as described here)
- Package:
- gem:sentry-delayed_job
- Version:
- 5.18.2
- Repository:
- https://github.com/getsentry/sentry-ruby