Data Sanitization
PII detection, redaction, and privacy protection built into the SDK.
Overview
Apperio includes a built-in data sanitizer that automatically detects and redacts Personally Identifiable Information (PII) before log data leaves the browser. This ensures sensitive data never reaches your logging backend.
Sanitization runs on all log data automatically when enabled (the default). It supports 10+ detection patterns out of the box and can be extended with custom rules.
Info
[EMAIL_REDACTED] and never sent to the server.PII Detection Patterns
The SDK detects the following PII patterns by default:
| Pattern | Example Input | Redacted Output |
|---|---|---|
| Email addresses | user@example.com | [EMAIL_REDACTED] |
| Social Security Numbers | 123-45-6789 | [SSN_REDACTED] |
| Credit card numbers | 4111-1111-1111-1111 | [CREDIT_CARD_REDACTED] |
| Phone numbers | +1 (555) 123-4567 | [PHONE_REDACTED] |
| API keys | sk_live_abc123xyz | [API_KEY_REDACTED] |
| JWT tokens | eyJhbGciOiJIUzI1NiJ9... | [JWT_REDACTED] |
| IP addresses | 192.168.1.100 | [IP_REDACTED] |
| AWS access keys | AKIA1234567890ABCDEF | [AWS_KEY_REDACTED] |
| Password fields | password: "secret123" | password: "[PASSWORD_REDACTED]" |
| Authorization headers | Bearer eyJhbGci... | Bearer [TOKEN_REDACTED] |
Presets
Three presets control how aggressively the sanitizer operates:
STRICT
Maximum protection. Detects all patterns including partial matches and ambiguous values. Best for healthcare, finance, and regulated environments.
Apperio.init({
projectId: class="syntax-string">"...",
apiKey: class="syntax-string">"...",
sanitization: {
enabled: true,
preset: class="syntax-string">"STRICT",
},
});BALANCED (Default)
Sensible defaults for most applications. Catches common PII patterns with high confidence while minimizing false positives.
class="syntax-comment">// BALANCED is the default - no explicit config needed
Apperio.init({
projectId: class="syntax-string">"...",
apiKey: class="syntax-string">"...",
class="syntax-comment">// sanitization.preset defaults to class="syntax-string">"BALANCED"
});LENIENT
Minimal sanitization. Only catches high-confidence matches like full SSN patterns, Luhn-valid credit card numbers, and explicit API key formats. Suitable for internal tools where PII risk is low.
Apperio.init({
projectId: class="syntax-string">"...",
apiKey: class="syntax-string">"...",
sanitization: {
enabled: true,
preset: class="syntax-string">"LENIENT",
},
});Custom Rules
Add custom sanitization rules to handle domain-specific sensitive data:
Apperio.init({
projectId: class="syntax-string">"...",
apiKey: class="syntax-string">"...",
sanitization: {
enabled: true,
preset: class="syntax-string">"BALANCED",
customRules: [
{
class="syntax-comment">// Redact internal employee IDs
pattern: /EMP-d{class="syntax-number">6}/g,
replacement: class="syntax-string">"[EMPLOYEE_ID_REDACTED]",
description: class="syntax-string">"Internal employee identifier",
},
{
class="syntax-comment">// Redact medical record numbers
pattern: /MRN-[A-Z]{class="syntax-number">2}d{class="syntax-number">8}/g,
replacement: class="syntax-string">"[MRN_REDACTED]",
description: class="syntax-string">"Medical record number",
},
{
class="syntax-comment">// Redact custom API tokens
pattern: /myapp_[a-zA-Z0-class="syntax-number">9]{class="syntax-number">32}/g,
replacement: class="syntax-string">"[CUSTOM_TOKEN_REDACTED]",
description: class="syntax-string">"Application-specific API token",
},
],
},
});Warning
sanitization.enabled = false and handle sanitization manually.Audit Trail
When sanitization redacts data, it creates an audit trail entry recording what was sanitized without revealing the original value. This helps with compliance and debugging.
{
"message": "User profile loaded",
"data": {
"name": "John Doe",
"email": "[EMAIL_REDACTED]",
"phone": "[PHONE_REDACTED]"
},
"metadata": {
"sanitization": {
"fieldsRedacted": 2,
"patterns": ["email", "phone"],
"timestamp": "2026-03-07T10:30:00Z"
}
}
}The audit trail is included in the log entry's metadata, so you can search for sanitized entries in the dashboard and understand what types of PII your application is handling.
URL Sanitization
Network request URLs are automatically sanitized to remove potentially sensitive query parameters:
class="syntax-comment">// Before sanitization:
class="syntax-comment">// GET /api/users?token=abc123&api_key=sk_live_xyz
class="syntax-comment">// After sanitization:
class="syntax-comment">// GET /api/users?token=[REDACTED]&api_key=[REDACTED]Common parameter names that are redacted include: token, api_key, secret, password, auth, and session.
Configuration
Full sanitization configuration reference:
interface SanitizationConfig {
class="syntax-comment">// Enable/disable sanitization entirely
enabled: boolean; class="syntax-comment">// default: true
class="syntax-comment">// Preset level of detection
preset: class="syntax-string">"STRICT" | class="syntax-string">"BALANCED" | class="syntax-string">"LENIENT"; class="syntax-comment">// default: class="syntax-string">"BALANCED"
class="syntax-comment">// Additional custom rules
customRules?: Array<{
pattern: RegExp; class="syntax-comment">// Regex pattern to match
replacement: string; class="syntax-comment">// Replacement string
description?: string; class="syntax-comment">// Human-readable description
}>;
}Tip
Apperio.init({
projectId: class="syntax-string">"...",
apiKey: class="syntax-string">"...",
sanitization: {
enabled: process.env.NODE_ENV === class="syntax-string">"production",
preset: class="syntax-string">"STRICT",
},
});