Skip to content

feat(replay): Default networkCaptureBodies to true #6372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alwx merged 4 commits into from
Jun 29, 2026
+15 −7
Merged

feat(replay): Default networkCaptureBodies to true #6372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d198375
feat(replay): Default networkCaptureBodies to true for cross-platform…
alwx Jun 29, 2026
5e8cd9d
chore(changelog): Fix PR number in entry
alwx Jun 29, 2026
6c60904
Merge branch 'main' into alwx/flip-replay-capture-bodies-default
alwx Jun 29, 2026
94860f1
chore(changelog): Move entry to Unreleased and shorten
alwx Jun 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@
});
```

### Changes

- Default `mobileReplayIntegration({ networkCaptureBodies })` to `true`, matching the iOS and Android native SDK defaults ([#6372](https://github.com/getsentry/sentry-react-native/pull/6372))

### Fixes

- The Sentry Babel transformer no longer injects `@sentry/babel-plugin-component-annotate` unless `annotateReactComponents` is explicitly enabled ([#6347](https://github.com/getsentry/sentry-react-native/pull/6347))
Expand Down
18 changes: 11 additions & 7 deletions packages/core/src/js/replay/mobilereplay.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,14 +181,18 @@

/**
* If request and response bodies should be captured for URLs matched by
* `networkDetailAllowUrls`. When `false` (the default), only headers are
* captured for allow-listed URLs — opt in explicitly to record bodies, since
* they can contain sensitive payloads.
* `networkDetailAllowUrls`. Enabled by default — set to `false` to capture
* only headers for allow-listed URLs when you cannot tolerate body payloads
* being recorded.
*
* Bodies are truncated at ~150 KB; truncated payloads include a
* `MAX_BODY_SIZE_EXCEEDED` warning.
* `MAX_BODY_SIZE_EXCEEDED` warning. URLs only enter the capture path after
* being explicitly allow-listed via `networkDetailAllowUrls`, so the
* default-on behaviour does not implicitly capture every request body.
*
* @default false
* Aligned with the iOS and Android native SDK defaults.
*
* @default true
*/
networkCaptureBodies?: boolean;

Expand Down Expand Up @@ -222,7 +226,7 @@
screenshotStrategy: 'pixelCopy',
Comment thread
sentry-warden[bot] marked this conversation as resolved.
networkDetailAllowUrls: [],
networkDetailDenyUrls: [],
networkCaptureBodies: false,
networkCaptureBodies: true,

Check warning on line 229 in packages/core/src/js/replay/mobilereplay.ts

View check run for this annotation

@sentry/warden / warden: code-review

Changing `networkCaptureBodies` default silently enables body capture for existing users 

Existing users who have `networkDetailAllowUrls` configured but never set `networkCaptureBodies` will silently start recording request and response bodies after upgrading — this is a breaking behavioral change that can expose sensitive payloads without any user action.
networkRequestHeaders: [],
networkResponseHeaders: [],
};
Expand Down Expand Up @@ -388,7 +392,7 @@
const networkOptions: ResolvedNetworkOptions = {
allowUrls: options.networkDetailAllowUrls ?? [],
denyUrls: options.networkDetailDenyUrls ?? [],
captureBodies: options.networkCaptureBodies ?? false,
captureBodies: options.networkCaptureBodies ?? true,

Check warning on line 395 in packages/core/src/js/replay/mobilereplay.ts

View check run for this annotation

@sentry/warden / warden: code-review

[LGJ-2NU] Changing `networkCaptureBodies` default silently enables body capture for existing users (additional location) 

Existing users who have `networkDetailAllowUrls` configured but never set `networkCaptureBodies` will silently start recording request and response bodies after upgrading — this is a breaking behavioral change that can expose sensitive payloads without any user action.
requestHeaders: options.networkRequestHeaders ?? [],
responseHeaders: options.networkResponseHeaders ?? [],
};
Expand Down
Loading