Skip to content

docs(data-collected): Clarify HTTP header and cookie collection differences (browser/server) #17945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
s1gr1d wants to merge 1 commit into
base: master
Choose a base branch
from
Open

docs(data-collected): Clarify HTTP header and cookie collection differences (browser/server) #17945

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 43 additions & 4 deletions docs/platforms/javascript/common/data-management/data-collected/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,54 @@ Regardless of these options, you can always scrub any data before it's sent to S

## HTTP Headers

By default, the Sentry SDK sends HTTP request and response headers.
<PlatformSection notSupported={["javascript.node", "javascript.aws-lambda", "javascript.azure-functions", "javascript.connect", "javascript.express", "javascript.fastify", "javascript.gcp-functions", "javascript.hapi", "javascript.hono", "javascript.koa", "javascript.nitro", "javascript.nestjs", "javascript.deno", "javascript.cloudflare", "javascript.bun"]}>

Use the `dataCollection.httpHeaders` option to control this. For example, set `dataCollection: { httpHeaders: false }` to disable it, or use `{ allow: [...] }` or `{ deny: [...] }` to restrict which header values are sent. Values whose keys match Sentry's built-in sensitive denylist (such as `auth`, `token`, or `password`) are automatically scrubbed, while the keys are kept.
By default, the Sentry SDK does **not** capture HTTP request or response headers in browser environments.

The <PlatformLink to="/configuration/integrations/httpclient/">HttpClient Integration</PlatformLink> captures headers from outgoing fetch and XHR requests that return a failed status code (500–599 by default). To enable header collection, use `dataCollection: { httpHeaders: true }` (or the deprecated `sendDefaultPii: true`) in your `Sentry.init()` config.

When header collection is enabled:

- **Fetch requests**: All request and response header names are captured. Sensitive values (such as `authorization`, `x-api-key`, and `x-auth-token`) are automatically redacted to `[Filtered]`.
- **XHR requests**: All request and response header names are captured, with the same automatic redaction of sensitive values. However, request cookies (from the `Cookie` header) cannot be read due to browser XHR API limitations. Only response cookies (from `Set-Cookie`) are available.

<Alert>

Header collection is best-effort due to Fetch and XHR API limitations. Certain headers may be missing even when collection is enabled.

</Alert>

</PlatformSection>

<PlatformSection notSupported={["javascript", "javascript.angular", "javascript.capacitor", "javascript.cordova", "javascript.ember", "javascript.gatsby", "javascript.react", "javascript.solid", "javascript.svelte", "javascript.vue", "javascript.wasm"]}>

On the server-side, incoming request headers (and outgoing response headers) are added as span attributes by the <PlatformLink to="/configuration/integrations/http/">Http Integration</PlatformLink> **by default**.
Sensitive values (such as auth tokens and secrets) are automatically scrubbed, while the header keys are kept. PII headers (such as forwarding and IP headers) are also filtered by default.

</PlatformSection>
Comment thread
sentry[bot] marked this conversation as resolved.
Comment on lines +44 to +49

@sentry sentry Bot Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The documentation incorrectly shows the server-side HTTP Headers section for Cloudflare and Deno, where the required Http Integration is unsupported.
Severity: LOW

Suggested Fix

Update the documentation component to conditionally hide the server-side HTTP Headers section for platforms where the Http Integration is not supported, such as javascript.cloudflare and javascript.deno, to align with the behavior of the server-side Cookies section.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location:
docs/platforms/javascript/common/data-management/data-collected/index.mdx#L44-L49

Potential issue: The documentation for server-side HTTP Headers is incorrectly displayed
for Cloudflare and Deno users. It states that the `Http Integration` captures headers by
default, but this integration is not supported on those platforms. This is inconsistent
with other parts of the documentation, such as the server-side Cookies section, which
correctly hides itself for unsupported platforms, leading to potential confusion for
developers using Cloudflare or Deno.


Use the `dataCollection.httpHeaders` option to control header collection. For example, set `dataCollection: { httpHeaders: false }` to disable it, or use `{ allow: [...] }` or `{ deny: [...] }` to restrict which header values are sent.

## Cookies

By default, the Sentry SDK doesn't send cookies. When using `dataCollection`, however, cookies are collected with sensitive values (like `token` or `key`) scrubbed. Opt out by setting `dataCollection: { cookies: false }`.
<PlatformSection notSupported={["javascript.node", "javascript.aws-lambda", "javascript.azure-functions", "javascript.connect", "javascript.express", "javascript.fastify", "javascript.gcp-functions", "javascript.hapi", "javascript.hono", "javascript.koa", "javascript.nitro", "javascript.nestjs", "javascript.deno", "javascript.cloudflare", "javascript.bun"]}>

By default, the Sentry SDK doesn't send cookies in browser environments. When using `dataCollection`, cookies are collected with sensitive values (like `token` or `key`) scrubbed.

The <PlatformLink to="/configuration/integrations/httpclient/">HttpClient Integration</PlatformLink> captures cookies when collection is enabled:

- **Fetch requests**: Both request cookies (from the `Cookie` header) and response cookies (from `Set-Cookie`).
- **XHR requests**: Response cookies only (from `Set-Cookie`). Request cookies cannot be read from XHR requests due to browser API limitations.

</PlatformSection>

<PlatformSection notSupported={["javascript", "javascript.angular", "javascript.capacitor", "javascript.cordova", "javascript.ember", "javascript.gatsby", "javascript.react", "javascript.solid", "javascript.svelte", "javascript.vue", "javascript.wasm", "javascript.cloudflare", "javascript.deno"]}>

On the server-side, cookies from incoming requests are collected when using `dataCollection` (or the deprecated `sendDefaultPii: true`) via the <PlatformLink to="/configuration/integrations/http/">Http Integration</PlatformLink>.

</PlatformSection>

To collect cookies when not using `dataCollection`, set the deprecated `sendDefaultPii: true` in `Sentry.init()`. To disable cookie collection when using `dataCollection`, set `dataCollection: { cookies: false }`. You can also restrict which cookie values are sent using `{ allow: [...] }` or `{ deny: [...] }`.
Sensitive cookie names are filtered automatically even when cookie collection is enabled. To disable cookie collection, set `dataCollection: { cookies: false }`. You can also restrict which cookie values are sent using `{ allow: [...] }` or `{ deny: [...] }`.

## Information About Logged-in User

Expand Down
Loading