On this page

Privacy Options for Session Replay

Configure privacy and PII masking in Statsig Session Replay, including input masking, element- level redaction, and recording exclusion rules.

To support your app’s privacy requirements and align with your organization’s policies, Statsig provides multiple ways to control replay privacy:

  • Baseline privacy options - Select from three preset privacy configurations. Each option applies a different level of text masking, helping you protect PII and sensitive data according to your app’s and users’ needs
  • Fine-grained privacy controls - After choosing a baseline configuration, use CSS selector rules to mask, reveal, or block specific elements
  • Global Targeting Gate - Use a feature gate to define which users are eligible for replays, ensuring you limit recordings to specific users or cohorts.

In the Statsig Console, you can configure your privacy settings under Project Settings → Analytics & Session Replay. You must be a project admin to modify these settings.

Baseline privacy options

  • Passwords (Default): Statsig replaces only password inputs with asterisks (*). All other text and inputs appear as-is.
  • Inputs: Statsig replaces all text in inputs with asterisks (*). All other text appears as-is.
  • Maximum: Statsig replaces all text and inputs with asterisks (*).

Selector rules

Use CSS selectors to precisely control how individual elements are handled during session replay: masked, unmasked, or blocked.

  • Masking and unmasking apply only to text content. Masked text is replaced with asterisks (*).
  • Blocking removes the element entirely from the replay and replaces it with a black placeholder of the same size.
  • You can't unmask password inputs, regardless of selector rules.

Selector rules override the baseline privacy settings. When multiple selector rules apply to the same element, Statsig enforces the following precedence: Block → Mask → Unmask

The examples below show how precedence is enforced.

js
// Everything within the blocked class will
// appear as a single black placeholder
<div class="blocked">
  <div id="masked">I will be part of the black placeholder</div>
  <button id="unmasked">I will be part of the black placeholder</button>
</div>
js
// The closest rule will apply
<div>
  <div id="masked">Masked Text</div>
  <div id="masked">
    <button id="unmasked">Unmasked Text</button>
  </div>
</div>
js
// With conflicting rules applied at the same level,
// the higher precedence will apply
<div>
  <button id="unmasked" className="masked">
    Masked Text
  </button>
</div>
js
// With baseline privacy setting set to Maximum, all text is masked
// by default but this can be overwritten by unmasking
<div>
  <div>Masked Text</div>
  <div>
    <button id="unmasked">Unmasked Text</button>
  </div>
</div>

All selectors must be valid CSS selectors. For details on supported selector syntax, refer to MDN’s list of CSS selectors.

Using selector rules or baseline privacy settings besides Passwords will overwrite the maskTextFn, maskInputFn, maskTextSelector, maskAllInputs, maskInputOptions, and blockSelector options you passed in during initialization.

Global targeting gate

The Global Targeting Gate controls who is eligible for session recording. If a user doesn't pass this gate, Statsig never records their sessions. By default, this is set to Everyone, meaning there are no restrictions and Statsig can record anyone. This gate defines the upper bound of session recording eligibility.

If you are using bootstrapping, contact the Statsig team to confirm your server SDK is supported.

Was this helpful?