Who can use this feature?
- Available on all plans.
- Requires an admin role to configure.
This article covers the following topics:
- Headers and Bodies
- Set Up Network Data Capture and Privacy Rules
- Syntax & Semantics
- Editing or Removing Network Allowlists
Headers and Bodies
Fullstory Dev Tools gives you the power to capture Request Headers, Response Headers, Request Bodies and Response Bodies for individual Network Requests that took place within a user's captured session.
Request/Response Headers
Request and Response Headers are HTTP Headers that include context about requests and may include details such as Accept, Cache-control, Server, Date, and other helpful metadata for understanding the conditions of a request.
When Request/Response Headers are available, Fullstory will only capture header fields that are known to be safe and make those available to view under Network Request details. For any Request/Response Header fields that aren't clearly known to be safe for data capture, Fullstory will not capture those details and they will be shown as [blocked] when you view Network Details.
Additionally, we do not capture the authorization, cookie, and proxy-authorization headers for security reasons, so you will not see these headers listed within Fullstory Dev Tools.
Managing Custom Header Rules
To manage which request and response headers Fullstory captures beyond the default safe headers, you can use the Header Privacy Rules settings. This allows you to configure custom header rules to capture additional request or response headers specific to your needs.
To add custom header rules:
- Navigate to Settings > Data Capture and Privacy > Privacy.
- Click the Header Privacy Rules tab.
- In the Custom rules section, click Add custom rules (or Edit custom rules if you've already added rules).
- Enter the header names you want to capture. You can enter headers as a comma-separated list or with each header on a new line.
- Click Save.
Default Captured Headers
Fullstory automatically captures a default set of safe request and response headers. To view the complete list of default captured headers, go to Settings > Data Capture and Privacy > Privacy and click on Header Privacy Rules. The Default captured request headers and Default captured response headers sections display all headers that Fullstory captures by default.
Request/Response Bodies
Request and Response Bodies are the content messages or payloads sent back and forth during a request.
Some of the details in Request and Response Bodies can be super powerful for debugging. However, because these bodies often carry submitted form data, these bodies are likely to contain some sensitive information that Fullstory would never want to capture.
Unlike some other data capture tools that pull in Request/Response Headers and Bodies by default (often bringing sensitive personal data with them), Fullstory gives you the ability to allowlist only the specific parts of the Request/Response Bodies that you know are safe to capture and that will be useful for your own debugging process.
Set Up Network Data Capture and Privacy Rules
There are two steps to enabling network data capture, both outlined below:
- Enabling Network Data Capture
- Setting up Network Privacy Rules (Allowlisting)
Enable Network Data Capture
To get started with network allowlisting, first you will need to enable Network Data Capture:
- Click your account name in the top left.
- Click Settings.
- Under Data Capture and Privacy, click Data Capture.
- Find the Data capture options section.
- Toggle Network Data Capture to "On".
It's important to note—enabling this Network Data Capture option alone will only result in:
- Methods
- Safe headers
- Allowlisted Request/Response bodies (if configured)
- Request/Response size (for same-origin requests)
For security reasons, you'll need to explicitly allowlist individual Request/Response bodies for more details to display in Dev Tools (see below).
In the case where Network Data Capture is disabled, no network traffic will be captured, even if you've added individual Request/Response bodies to your Network Allowlist in your Privacy settings.
Add Network Privacy Rules
Now that you've enabled Network Data Capture, your next step is to identify the request for which you'd like to begin capturing Request and/or Response Bodies. Take a moment to consider—do you want to capture the entire bodies? Or, only specific fields?
Make note of both the URL path and the names of the fields you'd like to allowlist, if applicable.
To find Network Privacy Rules on the Privacy Settings page:
- Click your account name in the top left.
- Click Settings.
- Under Data Capture and Privacy, click Privacy.
- Click the Network Privacy Rules tab.
- Click Add URL Pattern to add a new allowlisted request.
- Enter the request URL path you'd like to allowlist as a regex pattern. For example, if your request URL is
https://www.example.com/api/[cust-id]/loginthen you should enter a URL pattern that looks like.*www\.example\.com/api/.*/login. - For both request and response bodies, use the radio buttons to select whether you'd like to capture Nothing, the Full Body, or only Specific fields.
- If defining specific fields, enter a list of the fields you'd like to allowlist with each field on a new line.
- Click Save to begin capturing Request/Response bodies from that URL pattern.
Syntax & Semantics
URL Patterns
- Regular expression, matching against a full URL
- E.g.,
.*www\.example\.com/api/.*/login - (note: Fullstory uses JavaScript regex syntax which permits unescaped
/)
Request/Response Bodies Fields
- allowlist => element(/element)*
- element =>
- fieldName (match a specific field by name)
- * (match any field)
- ** (match any number of fields, including children)
- E.g.,
foo/bar,foo/bar/*/baz,foo/**
Example
Let's look at a simple login request.
URL
For example, if the login URL is:
https://www.example.com/api/[cust-id]/login
with the following requests and responses:
Request
{
creds: {
user: “foo@customer.com”,
password: “s3kr1t!”
}
} Response
{
success: false,
error: {
msg: “something went wrong”
}
} Then, to allowlist only the fields user, success, error, and msg but not password, your allowlisted request in Fullstory would require these settings:
URL Pattern
.*www.example.com/api/.*/login
Request bodies - Specific fields
creds/user
Response bodies - Specific fields
successerror/msg
After these settings are configured, whenever you view Responses and Requests within the Network Tab in Fullstory, you'd expect to see the user credentials, success, and error message come through while the password would still be displayed as [redacted].
bar property captured:foo
barbar
bazEditing or Removing Network Allowlists
After an allowlisted request has been saved, it can be edited, disabled, or removed at any time.
Under Settings > Data Capture and Privacy > Privacy > Network Allowlist, you can click on any configured allowlist in the table to open the settings to modify the allowlisted request.
To disable an allowlisted request but keep the URL pattern configuration, use the radio buttons to set the allowlisted request to capture "Nothing."
To remove the allowlisted request completely, click to modify the allowlisted request and then click "Delete".
Frequently Asked Questions
Are network allowlist changes retroactive?
No, the actions described in this article are not retroactive. Network allowlisting only applies to sessions captured after the settings are configured.
Does network allowlisting work for mobile apps?
Yes, as of mobile SDK 1.66.0, the network allowlisting and privacy rules described in this article apply to both web and mobile sessions. Mobile SDK 1.66.0+ supports header capture on both iOS and Android, and body capture on Android. For platform-specific details on mobile network capture capabilities, see Network Capture - How does privacy work for fields such as requests or responses?