> ## Documentation Index
> Fetch the complete documentation index at: https://docs.appsignal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Filter Session Data

Every time a request is made on a web app, AppSignal collects the session data that were sent with the request for supported frameworks. Sessions contain data specific to your application, but some dependencies an app uses may store data here as well. For example: when a user signs in, some data of the user who is signed in is stored in a session.

Sessions can contain sensitive or personally identifiable information that should not leave the app. Make sure this data is filtered out before it is sent to the AppSignal servers, this way the app doesn't leak any sensitive data.

<Tip>
  Read more about session data filtering and what types of session data to set
  up filtering for in our [session data filtering topic][session data
      filtering].
</Tip>

<Warning>
  🔐 Do not send <strong>Personal Identifiable Information (PII)</strong> to AppSignal. Filter PII (e.g., names, emails) and use an ID, hash, or pseudonymized identifier instead. <br /> <br /> For <strong>HIPAA-covered entities</strong>, more info on signing a Business Associate Agreement (BAA) is available in our <a href="/support/business-add-ons">Business Add-Ons documentation</a>.
</Warning>

## Session Data Filtering

Basic session data filtering in the AppSignal integrations works with a denylist, a list of keys to filter out and to not send. In the integrations it's possible to set a "filter session data" option in the AppSignal configuration with a list of session data keys to filter.

Any session data values that are filtered out by these systems will be replaced with a `[FILTERED]` value. This way the list of session data in the app data on AppSignal.com still includes the session data key, but not the value. Making it easier to see that a value was sent, but the potentially sensitive data was filtered out.

### Example

For example, an application with this AppSignal config:

<CodeGroup>
  ```yaml YAML theme={null}
  filter_session_data: ["password"]
  ```
</CodeGroup>

Results in this view for the session data of a web request on AppSignal.com:

<CodeGroup>
  ```json JSON theme={null}
  {
    "password": "[FILTERED]"
  }
  ```
</CodeGroup>

This guide will show you how to configure your application's session filtering denylist based on what language your application uses:

* [Ruby](#ruby)
* [Elixir](#elixir)
* [Node.js](#nodejs)
* [Python](#python)
* [Go](#go)
* [Java](#java)
* [PHP](#php)

## Ruby

In the Ruby integration, AppSignal automatically stores the contents of the user's session for Rails apps and other frameworks. Specific values can be filtered out or it can be [disabled entirely].

In session data filtering, there's support for nested hashes and nested hashes in arrays. Any hash we encounter in your session data will be filtered.

To use this filtering, add the following to your `config/appsignal.yml` file in the environment group you want it to apply. The [`filter_session_data`](/ruby/configuration/options#option-filter_session_data) value is an Array of Strings.

<CodeGroup>
  ```ruby Ruby theme={null}
  Appsignal.configure do |config|
    config.filter_session_data += ["name", "email", "api_token", "token"]
  end
  ```

  ```yaml YAML theme={null}
  production:
    filter_session_data:
      - name
      - email
      - api_token
      - token
  ```
</CodeGroup>

## Elixir

In the Elixir integration, AppSignal automatically stores the contents of the user's session for Phoenix apps. Specific values can be filtered out or it can be [disabled entirely].

In the session data filtering, there's support for nested hashes and nested hashes in arrays. Any hash we encounter in your session data will be filtered.

To use this filtering, add the following to your `config/appsignal.exs` file. The [`filter_session_data`](/elixir/configuration/options#option-filter_session_data) value is an Array of Strings.

<CodeGroup>
  ```elixir Elixir theme={null}
  config :appsignal, :config,
    filter_session_data: ["name", "email", "api_token", "token"]
  ```
</CodeGroup>

## Node.js

If a request stores session data on the sample, use the session data filter to filter out any data you do not want to include.

In the session data filtering, there's support for nested hashes and nested hashes in arrays. Any hash we encounter in your session data will be filtered.

To use this filtering, use the [`filterSessionData`](/nodejs/3.x/configuration/options#option-filtersessiondata) config option to select which session data keys to filter out.

<CodeGroup>
  ```javascript Node.js theme={null}
  const { Appsignal } = require("@appsignal/nodejs");

  new Appsignal({
    // Other config options
    filterSessionData: ["name", "email", "api_token", "token"],
  });
  ```
</CodeGroup>

## Python

If a request stores session data on the sample, use the session data filter to filter out any data you do not want to include.

In the session data filtering, there's support for nested hashes and nested dictionaries in lists. Any dictionary we encounter in your session data will be filtered.

To use this filtering, use the [`filter_session_data`](/python/configuration/options#option-filter_session_data) config option to select which session data keys to filter out.

<CodeGroup>
  ```python Python theme={null}
  from appsignal import Appsignal

  appsignal = Appsignal(
      # Other config
      filter_session_data: ["name", "email", "api_token", "token"]
  )
  ```
</CodeGroup>

## Go

If a request stores session data on the sample, use the session data filter to filter out any data you do not want to include.

In the session data filtering, there's support for nested slices and nested maps. Any map we encounter in your session data will be filtered.

Use the [`filter_request_session_data` denylist](/go/configuration/options#option-filter_request_session_data) for request session data filtering. Set the [`send_request_session_data` option](/go/configuration/options#option-send_request__session_data) to `false` to not send any request session data at all.

See the [Go configuration page](/go/configuration/options) for more information on how to configure OpenTelemetry for Go apps.

<CodeGroup>
  ```go Go theme={null}
  res := resource.NewWithAttributes(
  	attribute.StringSlice("appsignal.config.filter_session_data", []string{"password", "cvv"}),
  )
  ```
</CodeGroup>

## Java

If a request stores session data on the sample, use the session data filter to filter out any data you do not want to include.

In the session data filtering, there's support for nested maps and arrays. Any map encountered in your session data will be filtered.

Use the [`filter_request_session_data`](/java/configuration/options#option-filter_request_session_data) denylist for session data filtering. Set the [`send_request_session_data` option](/java/configuration/options#option-send_request_session_data) to `false` to avoid sending any session data.

See the [Java configuration page](/java/configuration/options) for more information on how to configure OpenTelemetry for Java apps.

<CodeGroup>
  ```bash Bash theme={null}
  function encode() {
    echo -n "$@" | sed 's/,/%2C/g'
  }

  export OTEL_RESOURCE_ATTRIBUTES="\
    appsignal.config.filter_request_session_data=$(encode "name,email,api_token,token"),\
    ..."
  ```
</CodeGroup>

## PHP

If a request stores session data on the sample, use the session data filter to filter out any data you do not want to include.

In the session data filtering, there's support for nested arrays. Any array encountered in your session data will be filtered.

Use the [`filter_request_session_data`][php filter_request_session_data] denylist for session data filtering. Set the [`send_request_session_data`][php send_request_session_data] option to `false` to avoid sending any session data.

<CodeGroup>
  ```php PHP theme={null}
  return [
      'filter_request_session_data' => ['name', 'email', 'api_token', 'token'],
      // ... other options
  ];
  ```
</CodeGroup>

[session data filtering]: /application/session-data-filtering.html

[disabled entirely]: /application/session-data-filtering.html#filter-all-session-data

[php filter_request_session_data]: /php/configuration/options.html#option-filter_request_session_data

[php send_request_session_data]: /php/configuration/options.html#option-send_request_session_data
