Session data filtering

AppSignal gathers session data for HTTP requests by default for supported frameworks. This data may help track down errors or performance issues that were caused by some session data an app is using. Some of this session data may contain sensitive user information though which should not be sent to the AppSignal servers.

Use session data filtering to filter out specific keys or disable the feature entirely.

Do not send Personal Identifiable Information (PII) to AppSignal. You must ensure that PII (such as personal names, email addresses, passwords, etc.) is filtered before data is sent to AppSignal. If you must identify a person, consider using a user ID, hash or pseudonymized identifier instead.

Filter session data

An app's session data can be filtered by configuring keys in a denylist. This denylist system will filter out all the session data keys configured in this list.

Any session data values that are filtered out by these systems will be replaced with a [FILTERED] value. This way the list of session data in the app data on AppSignal.com still includes the session data key, but not the value. Making it easier to see that a value was present, but the potentially sensitive data was filtered out.

Read our guide about setting up session data filtering for your app.

Filter all session data

To filter all session data without individual key filtering, set "skip session data" config option to "true" in the integration configuration. Or set "send session data" to "false" if that's the supported option.

A non-exhaustive list of session data keys that may be used by an application. Pick those keys that are relevant for your applications.

  • Email addresses
    • email
    • email_address
  • Tokens
    • token
    • api_token
    • sign_up_token
    • reset_password_token

See also