Header background

Gain broader applicability for Session Replay through easier, automated and GDPR-compliant masking presets

Dynatrace preset masking configurations for Session Replay remove the burden of defining and validating individual rules while allowing you to remain compliant with data privacy requirements. 

Whether you run a multinational hotel group or a global ecommerce business, you need a 360-degree view of each end-user journey through your application to make sure that your customers have a perfect experience every time. With Dynatrace Digital Experience Monitoring, you get gapless insight into every single user journey that your customers make in your application.

Dynatrace Session Replay, which is fully integrated with the Dynatrace Software Intelligence Platform, provides you with full insight into the complete digital experience of your end users. Purpose built for modern cloud and single-page applications, Session Replay overcomes the limitations of traditional network-based approaches and other point solutions, which are unable to provide integrated visibility into modern environments. Session Replay provides a video-like experience that helps developers, operations, and application owners troubleshoot errors and identify user struggles so that they can ensure perfect end-user experience and, ultimately, the growth of their digital business.

Ensuring data privacy is of paramount importance

Session Replay was developed with data privacy regulations and laws (GDPR, CCPA, LGPD) foremost in mind. Our masking mechanism allows you to capture your users’ experiences while remaining compliant with the data privacy regulations of your region. We designed our masking mechanism to ensure that CSS rules for masking are evaluated in the client browser—in this way, no sensitive or confidential information ever leaves the client browser.

However, sometimes it can be cumbersome to define the proper CSS rules for masking. Also, if you have huge application landscapes, you can’t manually validate the CSS rules for every new application deployment.

New masking presets save time while ensuring security  

Building on a series of recent improvements to data privacy in Session Replay, we’re happy to provide you a with set of preset masking configurations that gives you secure masking options, along with the option to easily customize your masking rules by specifying exactly which element types can be recorded.

When you customize the list of element types that can be collected, you have the option to ensure that newly added content is masked by default based on your custom setting. You can then be confident that your end users’ data will be completely secure. This makes life easier for Dynatrace administrators, saving them time while ensuring complete security in Session Replay recording.

To cover all your session recording needs and to make setup easier, we’ve introduced the preset masking configurations described in the use cases below.

Use case #1: Troubleshoot errors by masking all content

Now, with a single click, you can Mask all text, images, user input, and attributes. This is the default option, and it’s recommended for those who want to start testing Session Replay while also ensuring that sensitive data is never collected. This preset is perfect for seeing exactly how users interact with your application and when you want to use Session Replay solely for troubleshooting purposes, where the order in which users interact with different application controls is important.   

Mask all content masking preset

Consider a troubleshooting scenario for a single-page application where a lot of content is already preloaded. There’s no interaction with the server, but errors might occur because of the different order in which your users interact with the controls. In such a scenario, you probably don’t need to capture any content, images, or attributes. All you need is a video recording of the page DOM sketch and the user interaction with the website. 

As a developer, you can reproduce any issue that occurs in your single-page application by tracing the interactions of your users and watching the controls that are displayed after those interactions. This should be enough to have all the required steps to reproduce the issue. 

The following video shows a session recorded with the Mask all preset enabled. Note that none of the text on the page is displayed and that the drop-down in the second step of the wizard recording isn’t populated (the user reloads the page and even rage clicks on the drop-down).

Use case #2: Find specific errors by defining the content that you’re interested in

The Allow list masking preset is the same as the Mask all preset except that those elements that match the expressions defined in the allow list are not masked. This ensures that even with subsequent code changes, any new elements that are introduced that display sensitive information won’t be recorded by the Session Replay recorder. This is the recommended approach for most applications, and it allows you to collect only the information you require.   

Imagine a troubleshooting scenario where user interaction during the search process is causing errors that you need to reproduce. Could these errors be the result of incorrect user input? As the search field isn’t user sensitive, you can safely capture any content that’s entered into it. 

In such a situation, select the Allow list preset in your Session Replay configuration and define a CSS selector for the input field. Once you do this, you’ll be able to collect the information you need while ensuring that the rest of the user-entered content isn’t captured.

Allow list masking preset table

Use case #3: Find errors by capturing everything except user input

Mask user input masks all form inputs, including option selections in list boxes and drop-downs. This is the recommended approach when confidential information is only contained in user input (website content, images, and links don’t display confidential information).

If you need your application to capture everything except user input, use the Mask user input preset. 

Use case #4: Troubleshoot by excluding all predefined masking rules

Block list masks only the elements that are defined in the block list, and nothing more. We strive to provide you with the most secure approach by default, so when you select the Block list preset, a list with all the rules applied to the Mask all option is presented to you. You can use this list to exclude or add rules according to your requirements.

This masking preset is most applicable for applications that don’t capture any kind of user data. In such cases, there’s no need to mask anything. By using the Block list preset, you can exclude all the predefined masking rules from the list. 

How we use masking presets at Dynatrace

As an example, let’s take a look at how we at Dynatrace configure masking rules in order to mask all user input, images, and content in the monitoring environment for our own product. Before the introduction of the new masking presets—you can see more than 30 masking rules defined!

Old "mask all" configuration with many CSS rules

Now, thanks to the introduction of the new masking presets, our administrators have decided to migrate to the Mask all preset configuration. They see a big advantage in this migration—there’s no need to check the validity of the defined masking rules after every application redeployment, which saves a lot of time!

In both cases, the resulting recorded sessions are the same. The image below shows the Dynatrace web UI recorded using the Mask all preset.

Dynatrace web UI recorded using "Mask all" preset

Ready to migrate to the new masking presets? 

Migrating to the new masking presets is easy. All you need to do is ensure that the RUM JavaScript tag in the monitored application (which is either auto-injected by OneAgent or manually inserted) is from OneAgent version 1.193+. Then enable the feature in application-specific settings (Session Replay and behavior > Session Replay in the Privacy settings section).

Select Check JavaScript tag version, to see if your RUM JavaScript tag is up-to-date. If this prerequisite is validated, you’ll see the option for enabling the migration (Switch to new masking settings).

Switch for new masking presets after validating RUM JavaScript tag version

The automatic migration process will change your application settings as follows:

  • If your application currently uses the default configuration in which only form inputs are masked, it will be migrated to use the Mask user input preset masking configuration. 
  • If you’ve defined specific masking rules, your application will be migrated to use the Block list masking preset with all the defined rules applicable to content, user input, and attributes.  

What’s next? 

Next, we’ll tackle user roles for accessing Session Replay. This feature stems from a popular request made by our customers. With user roles, you can create teams in your organization and assign them the required permissions to access and replay specific user sessions. This feature will give you more granular control and, thereby, more flexibility.

So please stay tuned and watch this space for updates!