Output Masking Help

How masking rules work across UI, JSON views, notifications, and client-side screenshot preparation.

Back to Output Masking
Define

Add custom sensitive keys and regex patterns in Settings -> Output Masking.

Validate

Use the preview panel to test before/after redaction on text and JSON values.

Apply

Rules are used in output rendering and can be reused on the browser side before screenshot capture.

Masking Control Precedence
  1. Global Output Masking (Settings -> Output Masking) is the master switch for masking across render/API surfaces.
  2. SQL/Query Field Masking is an additional toggle that applies only to sql/query fields in NLQ and chart responses, and only when global masking is enabled.
  3. Per-action/per-channel controls (GitHub issue payload masking and notification channel masking) can disable masking for that path even when global masking is enabled.
What Gets Masked
  • Rendered UI fields where the mask filter is applied (incident, summary, replay previews, error panels).
  • Selected JSON output paths used for observability/debug views.
  • Notification and GitHub issue text payload generation.
  • Mask preview API output used by Settings -> Output Masking.
What Does Not Automatically Get Masked
  • Raw binary screenshot pixels already captured by your frontend.
  • Source telemetry at ingest time (SOBS applies display-layer masking by design).
For screenshots, redact in the browser before upload. Use the DOM masking helper shown below.
Client-Side Screenshot Workflow
  1. Fetch effective masking rules from GET /api/settings/masking/rules.
  2. Temporarily mask sensitive DOM text/inputs before screenshot capture.
  3. Capture/upload sanitized screenshot bytes.
  4. Restore the DOM immediately after capture.
const session = await window.SOBSDomMasking.sanitizeDomForScreenshot({ rulesUrl: '/api/settings/masking/rules' }); try { // capture + upload screenshot bytes here } finally { session.restore(); }

Reference implementation: examples/rum/sobs_dom_masking_util.js and examples/rum/rrweb_replay_example.js.

Regex Compatibility Notes

Server rules are Python regex. The browser helper uses JavaScript regex and applies a best-effort conversion for common inline flags such as (?i) and anchors like \A/\Z.

If a complex server regex cannot be compiled in JavaScript, it is skipped client-side and still enforced on server-rendered output.