Privacy Configuration

Configure what data LogNroll collects and how it is sanitized to fit your product and compliance needs.

Sanitize DOM Data

Control how DOM is recorded during session replay. By default, password inputs are excluded; additional elements can be sanitized via attributes and config. Sanitized elements are rendered with zebra striping and data is excluded on the client.

Sanitizing individual elements

Add data-private to sanitize an element and its children. Only dimensions are recorded; no inner content or interactions are captured.

<div data-private>
  This data will <strong>not</strong> be recorded.
</div>

Use data-private="delete" to hide an element entirely from playback.

Lorem Ipsum on inputs

For input and textarea, set data-private="lipsum" to render placeholder characters matching the length of the typed text during playback.

<textarea data-private="lipsum"></textarea>

Sanitize all user input fields

Set dom.inputSanitizer to obfuscate all user-input elements. Allowlist specific nodes with data-public. You can also use"lipsum" to simulate typing without capturing real values.

// Obfuscate all user inputs
LogRocket.init(YOUR_APP_ID, {
  dom: {
    inputSanitizer: true,
  },
});

// Replace all user inputs with Lorem Ipsum
LogRocket.init(YOUR_APP_ID, {
  dom: {
    inputSanitizer: "lipsum",
  },
});

// Allowlist a specific field
<input data-public title="this is not private" />

Sanitize all text fields

Set dom.textSanitizer to obfuscate all text nodes. Nodes can be allowlisted with data-public.

LogRocket.init(YOUR_APP_ID, {
  dom: {
    textSanitizer: true,
  },
});

<textarea data-public>This is not private</textarea>

Sanitize by attribute

Use privateAttributeBlocklist to blocklist attributes; matching elements are treated like data-private.

LogRocket.init(YOUR_APP_ID, {
  dom: {
    privateAttributeBlocklist: ['data-hide-this'],
  },
});
// <div data-hide-this></div> will not be recorded

Sanitize by CSS class name

Use privateClassNameBlocklist to exclude elements by class name.

LogRocket.init(YOUR_APP_ID, {
  dom: {
    privateClassNameBlocklist: ['class-hide-this'],
  },
});
// <div class="class-hide-this"></div> will not be recorded

Disable recording specific attributes

Use hiddenAttributes for fine-grained control to exclude specific HTML attributes (name and value) without removing the entire element.

LogRocket.init(YOUR_APP_ID, {
  dom: {
    hiddenAttributes: ['hidden-value'],
  },
});
// <div hidden-value="foo" shown-value="bar"></div>
// will be recorded as <div shown-value="bar"></div>

Disable DOM logging

Set dom.isEnabled to falseto disable all DOM recording. This will make session replay blank for that page, though network requests and console logs will continue to record.

LogRocket.init(YOUR_APP_ID, {
  dom: {
    isEnabled: false,
  },
});

_lr-hide (legacy)

DOM trees with the _lr-hide class are sanitized similar todata-private, but are entirely excluded from visualization. Prefer the newer mechanisms above.

Source: LogRocket Docs — Sanitize DOM Data

Sanitize Network Data

Control how data is captured from network requests and responses. You can scrub or remove sensitive fields, or disable specific request/response pairs while preserving useful timing and error information.

Sanitize a network request

Use requestSanitizer to scrub sensitive data from outgoing requests or to ignore a request/response pair entirely. Return the modified request object, or returnnull to ignore the pair.

Ignore by URL

// Add this to your existing init call, do not call init twice!
LogRocket.init(YOUR_APP_ID, {
  network: {
    requestSanitizer: (request) => {
      if (request.url.toLowerCase().includes('ignore')) {
        return null; // ignore the request/response pair
      }
      return request;
    },
  },
});

Remove body from request

LogRocket.init(YOUR_APP_ID, {
  network: {
    requestSanitizer: (request) => {
      if (request.url.toLowerCase().includes('ignore')) {
        return { ...request, body: null };
      }
      return request;
    },
  },
});

Redact a header value

LogRocket.init(YOUR_APP_ID, {
  network: {
    requestSanitizer: (request) => {
      return {
        ...request,
        headers: {
          ...request.headers,
          'x-auth-token': '', // or null to remove
        },
      };
    },
  },
});

Sanitize a network response

Use responseSanitizer to redact sensitive data from responses. Return null to redact all fields and record only timing data.

Remove body from responses

LogRocket.init(YOUR_APP_ID, {
  network: {
    responseSanitizer: (response) => {
      if (typeof response.body === 'string' && response.body.includes('<field to redact>')) {
        return { ...response, body: undefined };
      }
      return response;
    },
  },
});

Redact or delete specific fields

// Delete a field entirely
if (response.body?.field_to_delete) {
  return {
    ...response,
    body: {
      ...response.body,
      field_to_delete: undefined,
    },
  };
}

// Obfuscate a field's value
if (response.body?.field_to_hide) {
  return {
    ...response,
    body: {
      ...response.body,
      field_to_hide: '**redacted**',
    },
  };
}
return response;

Remove all response data

LogRocket.init(YOUR_APP_ID, {
  network: {
    responseSanitizer: () => null,
  },
});

Disable recording of all network data

Set isEnabled to false to disable network data capture entirely. When possible, prefer sanitizing headers and bodies to maintain timing and error data.

LogRocket.init(YOUR_APP_ID, {
  network: {
    isEnabled: false,
  },
});

Source: LogRocket Docs — Sanitize Network Data

Sanitize URLs

Scrub sensitive values from the browser URL path and query string usingurlSanitizer. The returned URL is used for searches and metrics. You can redact, normalize, or remove parts entirely.

Use the URL sanitizer function

LogRocket.init(YOUR_APP_ID, {
  browser: {
    urlSanitizer: (url) => {
      let sanitizedUrl = url;

      // Redact the path segment following /ssn/
      sanitizedUrl = sanitizedUrl.replace(//ssn/([^/]*)/i, '/ssn/REDACTED');

      // Redact the value of the query parameter secret_key
      sanitizedUrl = sanitizedUrl.replace(/secret_key=([^&]*)/, 'secret_key=REDACTED');

      // Return the sanitized URL string
      return sanitizedUrl;
    },
  },
});

Source: LogRocket Docs — Sanitize URLs

Enable or Disable IP Capture (Web)

Choose whether client IP addresses are captured for web sessions. Disabling IP capture may be required for certain privacy regimes.

Disable Page Titles

By default, page titles from document.titleare captured to help differentiate tabs during replay. If titles may include sensitive data, disable title capture via dom.disablePageTitles.

Disable title capture

LogRocket.init(YOUR_APP_ID, {
  dom: {
    disablePageTitles: true,
  },
});

Source: LogRocket Docs — Disable Page Titles