DBA Replay supports several tools for preventing the capture of Personally Identifiable Information (PII). Masking occurs in the browser before the recording is transmitted to the server.

Additionally, as page contents change over time, masking is reapplied to these changes before they are sent to the server. This also applies to text fields that the user types into. Before any character is sent, it is checked against the masking exclusion and inclusion rules.

Masking replaces each letter with a weighted random letter using the natural distribution of letters in the English alphabet. Numbers are replaced by zeroes and special characters are not changed.

Masking Configuration

Two modes are available to configure your site for masking: "mask everything" and "unmask everything". With "mask everything" everything on every recorded site is masked, while using "unmask everything" the opposite is true. After choosing your preferred masking mode you are still able to selectively mask or unmask specific portions of a page or even the whole page by using CSS selectors or pagenames.

You can also mask or unmask elements by adding an attribute or class to the element you want masked or unmasked. Use [mpt-anon] to mask and to unmask use [mpt-visible]. To unmask you can alternatively also use the CSS class fsrVisible


  • Password Inputs are always masked, no matter what configuration you choose and can't be unmasked in any way.
  • Content of images is not masked

Example of how selective masking/unmasking would look for an address


Examples on how to unmask/mask using attributes or classes:

<div mpt-visible>This text will be unmasked</div>
<div class="fsrVisible">This text will also be unmasked</div>
<div mpt-anon>This text will be masked</div>
<div>This text will be masked or unmasked depending on your configuration for this site</div>

Recommended Configuration

By default we recommend to use "mask everything" and then selectively unmask information vital to your analysis. This is the safest way to protect Personally Identifiable Information (PII). Otherwise any change on your website, for example CSS class names used to mask a specific element, could reveal PII.

Fields to Mask

The following fields should be masked:

  • Login Information (user name, password, security question, password recovery data)
  • Account numbers (full and partial)
  • Government issued identification numbers (Social Security, Driver’s License, etc.)
  • Data obtained from a U.S. consumer reporting agency, such as employee background investigation reports, credit reports, and credit scores.
  • Health information (other than simple name and patient status)
  • Data information revealing race, ethnicity, national origin, religion, sexual orientation, criminal history, or trade union membership. Also, criminal records or allegations of crimes of EU residents.
  • Address Data

Verify that Masking is working

  1. Navigate to the site (with staging configuration).
  2. Open your browsers DevTools by pressing F12 and navigate to the "Console" tab.
  3. Execute the following command: Mpathy.showConsole().
  4. After the page has automatically reloaded you should see the WebSDK Console injected into the page.
  5. Click on "Show Masked Page".
  6. A new browser tab will show the masking result.

A fully masked page will look something like this: