tinyreplay.
Privacy

Masking

How and where sensitive content is masked - the privacy view.

Masking is the core privacy mechanism. The important property: it happens in the browser, at capture time, before any event is buffered or transmitted. Masked content never exists in the recording, so it cannot leak in transit or at rest.

Default: all inputs masked

maskAllInputs is true by default. Every <input>, <textarea>, and <select> value is masked the moment it's recorded.

Opt-in: mask any text

<span data-tr-mask>Sensitive copy here</span>

data-tr-mask masks an element's text and its entire subtree. It maps to rrweb's mask-text primitive.

Masking vs. ignoring

Masking keeps the shape of the page (you see a field, a label, a value outline) but replaces the characters. To remove a region entirely, use ignored elements.

Why capture-time matters

01Browser SDKrrweb capture + masking
02Batch Transportbuffer · flush · beacon
03Ingest APIPOST /api/ingest
04SQLitesessions · events (WAL)
05Replay Dashboardscrub · inspect

The masking step lives inside the Browser SDK node - the first box in the flow. By the time data reaches the transport, the network, or SQLite, the sensitive characters are already gone. There is no downstream stage where unmasked content exists.

What this does not cover

Masking governs text and input values. It does not, on its own, hide:

  • Background images or media referenced by URL.
  • Text that you render outside a masked element.

For anything that must never be recorded in any form, block it entirely - see ignored elements - and review the full guarantees.

Rate Limits

Per-IP ingest rate limiting and the payload size ceiling.

Ignored Elements

Block elements and their subtrees from being recorded at all.

On this page

Default: all inputs maskedOpt-in: mask any textWhy capture-time mattersWhat this does not cover