Replay Masking

ForeSee® Replay for Web supports several tools for preventing the capture of Personally Identifiable Information (PII). This masking occurs in the browser before the recording is transmitted to the server. Here is a simplified flow diagram showing the masking sequence as it occurs during recording:


Additionally, as page contents change over time, the masking is reapplied to these changes before they are added to the buffer. This also applies to text fields that the user types into. Before any character is added to the buffer, it's checked against the masking blacklist and whitelisting rules.

ForeSee works with new customers to determine what areas of the site or app need to be blocked from recording to ensure confidentiality.

Masking Form Inputs

By default, masking of form inputs is automatic. Text inputs (including password fields, which are already obscured but not masked) have their values replaced:

In some cases, you may want to see the contents of a specific field that doesn't contain personally identifiable information (PII). An example of this would be a search box. To unmask a particular field, you can add our whitelisting CSS class "fsrVisible" to the input:

<input type="text" class="fsrVisible" >

You can add this yourself on your HTML project or include the input in your Secure Information Form when going through the implementation process.

Here's an example of Masking Form Inputs:


Web SDK 19.7 - Modern Replay - Default Text Scrambling

Web SDK 19.7 introduced the default All Masking feature. This feature allows ForeSee to quickly deploy Replay and mask all content of all pages by default, (text and inputs), across the full domain. It will scramble all text that exists on the website, as seen here in these visible examples. After deployment, ForeSee can work backward in unmasking large sections of the website by URL patterns (for example HTTP:.../catelog), and then again, more granular by selectively masking areas of the page.

To loosen the masking restriction from the default of full masking, contact ForeSee Support.

**Note:** Inputs are always masked by default (whitelisting mode), even if the rest of the page is in the pagesToSelectiveMask list and has selectiveMaskZones set up. This functionality is to make sure that inputs cannot accidentally leak PII. New fields added to a form are always masked unless configured otherwise with visible inputs.

Inline HTML Masking

The other major type of Personally Identifiable Information (PII) that you want to keep out of your replays is inline with the HTML of your page. Sometimes a username appears in a logged-in section, or a street address can appear during a checkout flow. We have the ability to mask this content before it's transmitted to the server to be part of a movie.

There are two ways to do this: by adding the masking HTML tags to your pages, or by telling ForeSee about these regions on your Secure Information Form (SIF) so the code can be configured to block these. To mask a region of an HTML page by yourself, simply add these HTML comments to the page:

<div><!-- fsrHiddenBlockStart -->Some text I want to <span>mask!</span><!-- fsrHiddenBlockEnd --></div>

You can include HTML tags in the section you want to mask. You can mask large sections of text with HTML formatting mixed in. For example:

<!-- fsrHiddenBlockStart --><table><tr><td>some text</td></tr></table><!-- fsrHiddenBlockEnd -->

Here's an example of Inline HTML Masking:


Fields to Mask

The following fields should be masked:

  • Login Information (user name, password, security question, password recovery data)
  • Account numbers (full and partial)
  • Government issued identification numbers (Social Security, Driver’s License, etc.)
  • Data obtained from a U.S. consumer reporting agency, such as employee background investigation reports, credit reports, and credit scores.
  • Health information (other than simple name and patient status)
  • Data information revealing race, ethnicity, national origin, religion, sexual orientation, criminal history, or trade union membership. Also, criminal records or allegations of crimes of EU residents.