PII Redaction

BugSpotter automatically detects and masks sensitive text data in the browser before upload. When enabled (default), text fields are sanitized before submission.

Built-in Patterns (9 types)

Pattern	Detects	Example
`email`	Email addresses	`user@example.com` → `[REDACTED-EMAIL]`
`phone`	Phone numbers	`+7 701 123-4567` → `[REDACTED-PHONE]`
`creditcard`	Credit card numbers	`4111-1111-1111-1111` → `[REDACTED-CREDITCARD]`
`ssn`	US Social Security	`123-45-6789` → `[REDACTED-SSN]`
`iin`	Kazakhstan IIN/BIN	`860101350478` → `[REDACTED-IIN]`
`ip`	IPv4 and IPv6	`192.168.1.1` → `[REDACTED-IP]`
`apikey`	Stripe, AWS, Google keys	`sk_live_...` → `[REDACTED-APIKEY]`
`token`	Bearer, JWT, OAuth	`eyJhbG...` → `[REDACTED-TOKEN]`
`password`	Password field values	→ `[REDACTED-PASSWORD]`

Presets

Use a preset name instead of listing patterns individually:

Preset	Patterns included
`all`	All 9 patterns
`minimal`	email, creditcard, ssn
`financial`	creditcard, ssn
`contact`	email, phone
`identification`	ssn, iin
`credentials`	apikey, token, password
`kazakhstan`	email, phone, iin
`gdpr`	email, phone, ip
`pci`	creditcard

// Use a preset
await BugSpotter.init({
  sanitize: { patterns: 'kazakhstan' },  // email + phone + IIN
});

// Or pick individual patterns
await BugSpotter.init({
  sanitize: { patterns: ['email', 'phone', 'creditcard'] },
});

Custom Patterns

Add regex patterns for industry-specific data:

await BugSpotter.init({
  sanitize: {
    patterns: 'all',
    customPatterns: [
      {
        name: 'broker-account',
        regex: /FRH\d{9}/gi,
        description: 'Freedom Finance broker account',
      },
      {
        name: 'iban-kz',
        regex: /KZ\d{18}/gi,
        description: 'Kazakhstan IBAN',
      },
      {
        name: 'internal-id',
        regex: /ORD-\d{6,}/gi,
        description: 'Internal order ID',
      },
    ],
    excludeSelectors: ['.public-info'],
  },
});

Custom patterns produce [REDACTED-BROKER-ACCOUNT], [REDACTED-IBAN-KZ], etc.

Visual Element Exclusion

Text sanitization handles console logs, network URLs, and metadata. For visual elements:

Session Replay: Use replay.blockSelectors to hide DOM elements from recording
Screenshots: Add data-bugspotter-exclude attribute to exclude elements

Performance

PII sanitization adds < 50ms overhead. Patterns are compiled once and reused. Recursive sanitization handles nested objects with circular reference protection.

Next: Self-Hosted Deployment →