From 4e78688f6799005161fea5eead680b1b817f7ad6 Mon Sep 17 00:00:00 2001 From: s1gr1d <32902192+s1gr1d@users.noreply.github.com> Date: Mon, 1 Jun 2026 17:22:13 +0200 Subject: [PATCH 1/2] docs(data-collected): Clarify HTTP header and cookie collection differences (browser/server) --- .../data-management/data-collected/index.mdx | 64 +++++++++++++++---- 1 file changed, 53 insertions(+), 11 deletions(-) diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index 4cfc8c4fdaa10..449d3174106e1 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -12,13 +12,55 @@ Many of the categories listed here require you to enable the + +By default, the Sentry SDK does **not** capture HTTP request or response headers. + +The HttpClient Integration captures headers from outgoing fetch and XHR requests that return a failed status code (500–599 by default). To enable header collection, set `sendDefaultPii: true` in your `Sentry.init()` config. + +When `sendDefaultPii` is enabled: + +- **Fetch requests**: All request and response header names are captured. Sensitive values (such as `authorization`, `x-api-key`, and `x-auth-token`) are automatically redacted to `[Filtered]`. +- **XHR requests**: All request and response header names are captured, with the same automatic redaction of sensitive values.However, request cookies (from the `Cookie` header) cannot be read due to browser XHR API limitations. Only response cookies (from `Set-Cookie`) are available. + + + +Header collection is best-effort due to Fetch and XHR API limitations. Certain headers may be missing even when `sendDefaultPii` is enabled. + + + + + + + +On the server-side, incoming request headers (and outgoing response headers) are added as span attributes by the Http Integration **by default**. +Sensitive values (such as auth tokens and secrets) and PII headers (such as forwarding and IP headers) are automatically filtered. +Setting `sendDefaultPii: true` relaxes the PII-header filtering so those headers are captured too. Sensitive keys remain filtered regardless. +You can configure request headers, response headers, and cookies independently using the `dataCollection` option. + + ## Cookies + + By default, the Sentry SDK doesn't send cookies. -If you want to send cookies, set `sendDefaultPii: true` in the `Sentry.init()` call. This will send the cookie headers `Cookie` and `Set-Cookie` from fetch and XHR requests. +To capture cookies from outgoing requests, set `sendDefaultPii: true` in your `Sentry.init()` call. The HttpClient Integration will then capture: + +- **Fetch requests**: Both request cookies (from the `Cookie` header) and response cookies (from `Set-Cookie`). +- **XHR requests**: Response cookies only (from `Set-Cookie`). Request cookies cannot be read from XHR requests due to browser API limitations. + +Sensitive cookie names are filtered automatically even when cookie collection is enabled. + + + + + +On the server-side, set `sendDefaultPii: true` to capture cookies from incoming requests via the Http Integration. +Sensitive cookie names are filtered automatically even when cookie collection is enabled. + + ## Information About Logged-in User @@ -28,7 +70,7 @@ The type of logged-in user information you'll be able to send depends on the int ### Local Device User - + By default, the Sentry SDK doesn't send any information about the user currently logged-in to the device where the app is running. However, you should exercise caution when logging file system errors as paths may contain the current username. @@ -101,13 +143,13 @@ By default, the Sentry SDK sends information about the device and runtime to Sen - The Sentry Electron SDK collects information about the device, such as the platform, architecture, available memory and version and build of your operating system or Linux distribution. - - By default, the Additional Context Integration collects dimensions and resolution of the device screen. It can optionally collect the device's manufacturer and model name if the `deviceModelManufacturer` option is enabled. - + The Sentry Electron SDK collects information about the device, such as the platform, architecture, available memory and version and build of your operating system or Linux distribution. + + By default, the Additional Context Integration collects dimensions and resolution of the device screen. It can optionally collect the device's manufacturer and model name if the `deviceModelManufacturer` option is enabled. + By default, the GPU Context Integration collects GPU information. It can optionally collect more detailed information if the `infoLevel` option is set to `complete`. - - + + @@ -165,11 +207,11 @@ By default, the Sentry SDK sends information about the device and runtime to Sen ## Window Titles - + The Electron Breadcrumbs Integration can optionally capture the window titles for breadcrumbs related to windows events. These can potentially contain PII so are disabled by default but can be enabled via the `captureWindowTitles` option. ## Native Crashes - + At the time of a native crash, the stack of each thread is collected and sent to Sentry as part of the Minidump snapshot. This information is sent to Sentry by default, but dropped after processing the event in the backend. These files are not stored by default, but you can [enable Minidump Storage](/platforms/native/guides/minidumps/enriching-events/attachments/#store-minidumps-as-attachments) in the Sentry organization or project settings. From 2fa5a2abe3636349516b90b86d61c36488718a95 Mon Sep 17 00:00:00 2001 From: s1gr1d <32902192+s1gr1d@users.noreply.github.com> Date: Mon, 1 Jun 2026 17:53:43 +0200 Subject: [PATCH 2/2] add deno and cloudflare --- .../common/data-management/data-collected/index.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/platforms/javascript/common/data-management/data-collected/index.mdx b/docs/platforms/javascript/common/data-management/data-collected/index.mdx index 449d3174106e1..c546cc2bc5d89 100644 --- a/docs/platforms/javascript/common/data-management/data-collected/index.mdx +++ b/docs/platforms/javascript/common/data-management/data-collected/index.mdx @@ -21,7 +21,7 @@ The HttpClient Integr When `sendDefaultPii` is enabled: - **Fetch requests**: All request and response header names are captured. Sensitive values (such as `authorization`, `x-api-key`, and `x-auth-token`) are automatically redacted to `[Filtered]`. -- **XHR requests**: All request and response header names are captured, with the same automatic redaction of sensitive values.However, request cookies (from the `Cookie` header) cannot be read due to browser XHR API limitations. Only response cookies (from `Set-Cookie`) are available. +- **XHR requests**: All request and response header names are captured, with the same automatic redaction of sensitive values. However, request cookies (from the `Cookie` header) cannot be read due to browser XHR API limitations. Only response cookies (from `Set-Cookie`) are available. @@ -31,7 +31,7 @@ Header collection is best-effort due to Fetch and XHR API limitations. Certain h - + On the server-side, incoming request headers (and outgoing response headers) are added as span attributes by the Http Integration **by default**. Sensitive values (such as auth tokens and secrets) and PII headers (such as forwarding and IP headers) are automatically filtered.