An article explaining how to mask elements from heatmaps, session recordings, and what fields are always masked.
When you record a session or sample a heatmap Extellio may record user-sensitive data with is displayed on your website. To avoid recording personal data you can mask elements from being recorded by adding the data-matomo-mask attribute around the element in the website’s code.
You can mask individual elements like this:
<span data-matomo-mask>Firstname lastname</span>
or you can mask a set of elements
<div data-matomo-mask>
<p>
<span>Firstname</span>
<span>Lastname</span>
</p>
</div>
Before sending the data to Extellio, any masked content will have each character replaced by an asterisk (*). Additionally, content displayed in the title, alt, label, or placeholder attributes will also be masked.
The following fields are always masked in session recordings:
- Any input field with the type password, tel, or email.
- No value is recorded for hidden form elements.
- When a user enters between 7 and 21 digits in sequence, Extellio assume it is a credit card number or similar and mask it.
- When a user enters an @ symbol, Extellio assume it is an email address and don't record it.
- Form fields within iframes won't be recorded at all.
- Extellio ignores any form field when it has an id, name, or autocomplete with one of these values (any dashes, underscores, or whitespace in the name are ignored):
'creditcardnumber', 'off', 'kreditkarte', 'debitcard', 'kreditkort', 'kredietkaart', ' kartakredytowa', 'cvv', 'cc', 'ccc', 'cccsc', 'cccvc', 'ccexpiry', 'ccexpyear', 'ccexpmonth', 'cccvv', 'cctype', 'cvc', 'exp', 'ccname', 'cardnumber', 'ccnumber', 'username', 'creditcard', 'name', 'fullname', 'familyname', 'firstname', 'vorname', 'nachname', 'lastname', 'nickname', 'surname', 'login', 'formlogin', 'konto', 'user', 'website', 'domain', 'gender', 'company', 'firma', 'geschlecht', 'email', 'emailaddress', 'emailadresse', 'mail', 'epos', 'ebost', 'epost', 'eposta', 'authpw', 'token_auth', 'tokenauth', 'token', 'pin', 'ibanaccountnum', 'ibanaccountnumber', 'account', 'accountnum', 'auth', 'age', 'alter', 'tel', 'city', 'cell', 'cellphone', 'bic', 'iban', 'swift', 'kontonummer', 'konto', 'kontonr', 'phone', 'mobile', 'mobiili', 'mobilne', 'handynummer', 'téléphone', 'telefono', 'ssn', 'socialsecuritynumber', 'socialsec', 'socsec', 'address', 'addressline1', 'addressline2','billingaddress', 'billingaddress1', 'billingaddress2','shippingaddress', 'shippingaddress1', 'shippingaddress2', 'vat', 'vatnumber', 'gst', 'gstnumber', 'tax', 'taxnumber', 'steuernummer', 'adresse', 'indirizzo', 'adres', 'dirección', 'osoite', 'address1', 'address2', 'address3', 'street', 'strasse', 'rue', 'via', 'ulica', 'calle', 'sokak', 'zip', 'zipcode', 'plz', 'postleitzahl', 'postalcode', 'postcode', 'dateofbirth', 'dob', 'telephone', 'telefon', 'telefonnr', 'telefonnummer', 'password', 'passwort', 'kennwort', 'wachtwoord', 'contraseña', 'passord', 'hasło', 'heslo', 'wagwoord', 'parole', 'contrasenya', 'heslo', 'clientid', 'identifier', 'id', 'consumersecret', 'webhooksecret', 'consumerkey', 'keyconsumersecret', 'keyconsumerkey', 'clientsecret', 'secret', 'secretq', 'secretquestion', 'privatekey', 'publickey', 'pw', 'pwd', 'pwrd', 'pword', 'paword', 'pasword', 'paswort', 'pass’.