USER SESSIONS
Security and Privacy

13min
Relicx takes a security and privacy first approach to collecting and storing user data. 
All sensitive or confidential data can be blocked, tokenized, or redacted on the browser side. This ensures that no confidential data is ever sent to Relicx
Well-known PII data such as email, password, credit card, US social security, etc. is automatically tokenized/redacted. Relicx session recording will only show a parameterized token ($EMAIL, $PASSWORD, etc.) rather than the actual values entered by the user. Additional fields or UI elements can be blocked or redacted as described below.
Data is encrypted in transit and at rest
Row-level database security ensures only you have access to your session recordings
﻿
Configuring Privacy
Relicx allows you to configure privacy policies using the UI or programmatically. You have the option to
Redact/tokenize any user input fields. This will ensure that Relicx session recordings only contain parameters tokens (e.g. $DEPOSIT_AMOUNT) instead of the actual value. By parametrizing the user input, Relicx allows you to create data-driven tests based on user sessions/flows while ensuring data privacy.
Completely block certain parts of the UI using the block class capability. The blocked classes will be completely excluded from the session recording. Please note that no user interaction will be recorded against the blocked classes and thus those steps will not be part of any Relicx generated tests. This option should, therefore, be used with caution and primarily to exclude sensitive static information such as text or images that don't involve any user interaction. 
Redaction Rules
Out of the box redaction
The following fields are redacted by default and you do not need to enter any rules for these. We will continue to add and revise this list periodically 
Credit card number 
US social security number
Password
Phone number
Credentials
Monetary values
Numeric data
Configuring Redaction Via UI
You can Relicx UI for no-code redaction configuration. The redaction rules can be configured using the CSS properties, such as
Attributes
Selectors
XPath
The example below shows how to configure a redaction rule using CSS attributes. The Selectors and XPath based rules are also similar. 
﻿
To configure the redaction for the email field, open the inspect mode using the browser right-click menu and select the "inspect" option. 
(Please note that this is just for illustration purposes. Email fields are automatically redacted and no additional configuration is needed).

﻿
﻿
In the inspect mode, you will see the various attributes of this field 
﻿
You can use the name and the type attribute to redact this field input. The screenshot below shows two entries. One for the name attribute with email value, and the one for the type attribute.  The redaction rules apply to more than one field then all the fields will be redacted. The rule applies to the entire app and not on individual pages. With this redaction rule in place, Relicx will automatically redact any CSS element in the application with name=email or type=email to $EMAIL in session recordings. 
﻿
Block Class
We can also block an entire element of a webpage, making sure everything inside of it is removed and never appears in Relicx, we do this by blocking the class of the sensitive element (such as an image, chart, or anything else).

For example: Our demo banking application shows various charts on the dashboard, one or more of them may be sensitive. Let's imagine we want to make sure the "Balance Summary" chart below is redacted:
﻿
If we inspect the HTML of our webpage, we find the code representing our chart
<div class="card-body">
  <div id="balanceSummary" class="balance-chart bar-chart">
    <div style="width: 100%; height: 100%;">
        <h4 class="mb-3 text-center">Account Balance Summary</h4>
    </div>
  </div>
</div>
In our case, if we tell Relicx to block the class balance-chart (a class unique to the element we want to remove), it will ensure all the information from that element never reaches Relicx (this includes any inner elements present). 

Note: In this case, we should not block card-body as that would block all elements that use that class, we should be as specific as possible.
Once you have the class name, you can create a block class rule under Settings --> Applications --> Privacy. The example below shows the block class configuration for the class named balance-chart. 
﻿
With this block class configuration in place, Relicx will no longer receive any information about the contents of that chart element, as a result, session replay will simply display what is left, an empty card with no sensitive information.

Note: the outer element is retained, just its contents are redacted
Configuring Redaction and Blocks Programmatically
While Relicx supports a number of methods to block and redact sensitive information, the recommended method to apply these privacy rules would be to add these special class identifiers that will automatically block or redact sensitive data. This is particularly useful if your application is evolving fast and you can simply add this class and the privacy rules are applied automatically. 
The idea here is rather than blocking elements based on their classes and attributes they already have, (which would be maintained as rules in Relicx), we instead add special class identifiers to these elements directly in our own code, which allows the redaction itself to be source-controlled.
Relicx supports two programmatic ways to specify privacy rules. 
relicx-block
Elements with the class relicx-block class will be blocked.
Example: if we have an element (in green) in the below code we want to be blocked:
<div class="card-body">
  <div id="balanceSummary" class="balance-chart bar-chart">
    <div style="width: 100%; height: 100%;">
        <h4 class="mb-3 text-center">Account Balance Summary</h4>
    </div>
  </div>
</div>
We can add relicx-block as a class of the outer div:
<div class="card-body">
  <div id="balanceSummary" class="﻿relicx-block balance-chart bar-chart">
    <div style="width: 100%; height: 100%;">
        <h4 class="mb-3 text-center">Account Balance Summary</h4>
    </div>
  </div>
</div>
Relicx effectively sees the following DOM: 
<div class="card-body">
  <div id="balanceSummary" class="﻿relicx-block balance-chart bar-chart">
  </div>
</div>
Note: the outer element is retained, just its contents are redacted.
relicx-mask
Often we will want to not block an element, but replace the contents of an input field. A classic example that is redacted by default in Relicx would be passwords. Any time a user enters a password in a session recorded by Relicx, it is redacted by default and replaced with a parameter ${REDACTED_PASSWORD}
We may want to do this with other Input elements which are sensitive within our application, we can do this by adding the attribute relicx-mask="name"
The value of the attribute will be the name of the parameter in Relicx. In this case, the value the user enters into the input field will be redacted to ${name}. 'name' could be 'account_number', 'address', etc.
As an example, let's imagine we have the field "Initial Deposit Amount:
<div class="col col-sm-4">
    <label class="form-control-label">
        <strong>Initial Deposit Amount</strong>
    </label>
    <input type="text" class="form-control" id="openingBalance" value="">
</div>
All we have to do to mask the input value here (so we never record the true opening balance), is add in the attribute, let's name our parameter balance
<div class="col col-sm-4">
    <label class="form-control-label">
        <strong>Initial Deposit Amount</strong>
    </label>
    <input relicx-mask="balance" type="text" class="form-control" id="openingBalance" value="">
</div>
This will replace the value entered into the "Initial Deposit Amount" input in any recorded session with the parameter ${balance}
Updated 04 Dec 2023
Did this page help you?
Generating Tests from User Sessions
Application & Environments