Data Security

Middleware provides you with security and privacy controls to ensure customers of any scale do not expose sensitive or personal information. These controls protect end‑user privacy and prevent sensitive data from being collected by masking elements before data ever leaves the browser. When data is masked, it is not collected in its original form by the Middleware SDK and thus is not sent to the Middleware backend.

Configuration

Mask Sensitive Inputs

By default, Middleware hides all input values and any text that matches commonly used regular expressions for personally identifiable information (PII). This protects information such as addresses, phone numbers, social security numbers, credit card numbers, and IP addresses.

Images and media content are not hidden. On rare occasions, non-PII text that resembles these patterns (for example, long numeric strings) may also be masked; this is expected and preferred over accidental exposure of sensitive data.

You can disable sensitive-input masking from the Installation page; however, this is not recommended, as it may expose confidential user data in recordings.

PII patterns masked by default:

1Email: '[a-zA-Z0-9.!#$%&'*+=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:.[a-zA-Z0-9-]+)*'
2SSN: '[0-9]{3}-?[0-9]{2}-?[0-9]{4}'
3Phone number: '[+]?[(]?[0-9]{3}[)]?[-\s.]?[0-9]{3}[-\s.]?[0-9]{4,6}'
4Credit card: '[0-9]{4}-?[0-9]{4}-?[0-9]{4}-?[0-9]{4}'
5Unformatted SSN, phone number, credit card: '[0-9]{9,16}'
6Address: '[0-9]{1,5}.?[0-9]{0,3}\s[a-zA-Z]{2,30}\s[a-zA-Z]{2,15}'
7IP address: '(?:[0-9]{1,3}.){3}[0-9]{1,3}'

Mask All Inputs

When to use: Enforce a strict privacy baseline across your application by masking the values of all form controls (inputs, textareas, selects, password, number, checkbox, etc.), replacing user‑entered values with asterisks (***) in the replay.

1recordingOptions: {
2  maskAllInputs: true,
3}

Result in the player:

Masked data is not stored on Middleware servers.

Example showing sensitive user input fields being masked in a form

Mask All

When to use: For highly sensitive workflows (such as authentication, billing, and healthcare), combine input masking with global text masking. This masks all visible HTML text (labels, paragraphs, spans, links, etc.) in addition to inputs.

1recordingOptions: {
2  maskTextSelector: "*",
3  maskAllInputs: true,
4}

Result in the player:

Illustration of all user input fields masked for data security

Mask None

When to use: For non‑sensitive internal environments only. Records everything unmasked. Use with caution and only when your legal/privacy policy allows it.

1recordingOptions: {
2  maskAllInputs: false,
3}

Result in the player:

Example showing no masking applied to user input fields

Privacy Options

Use these options to fine‑tune masking/ignoring at the element or selector level. Defaults reflect safe behaviour out of the box.

Key	Default	Description
`blockClass`	`'mw-block'`	Use a string or RegExp to configure which elements should be blocked (excluded entirely from recording).
`blockSelector`	`null`	Use a string (CSS selector) to configure which selector should be blocked.
`ignoreClass`	`'mw-ignore'`	Use a string or RegExp to configure which elements should be ignored (interaction events not recorded).
`ignoreSelector`	`null`	Use a string to configure which selector should be ignored.
`ignoreCSSAttributes`	`null`	Array of CSS attributes that should be ignored.
`maskTextClass`	`'mw-mask'`	Use a string or RegExp to configure which elements should be masked (text redacted).
`maskTextSelector`	`null`	Use a string to configure which selector should be masked.
`maskSensitiveInputs`	`true`	Mask sensitive information such as email, credit card number, phone number, address, SSN, and IP address.
`maskAllInputs`	`false`	Mask all input content as *.
`maskInputOptions`	`{ password: true }`	Mask specific types of input: `color`, `date`, `datetime-local`, `email`, `month`, `number`, `range`, `search`, `tel`, `text`, `time`, `url`, `week`, `textarea`, `select`, `password`.
`maskInputFn`	—	Customize mask input content recording logic.
`maskTextFn`	—	Customize mask text content recording logic.

Practical Guidance

Start strict, then relax: Begin with maskAllInputs: true and add targeted maskTextSelector rules for areas containing PII. Only relax masking where you need full context.
Prefer selectors over global rules: Scope masking to sensitive regions (for example, .checkout [data-pii]) to preserve useful UI context elsewhere.
Review after UI changes: When pages evolve, re‑test your masking/blocks on staging to ensure sensitive fields remain protected.
Third‑party iframes: Treat external widgets as untrusted; block their containers with blockSelector when they can display secrets.
Compliance: Document your masking defaults and any exceptions; ensure they align with your consent policy.

Need assistance or want to learn more about Middleware? Contact our support team at [email protected] or join our Slack channel.