Privacy Options

All options are nested under options.privacy when calling init() or configuring MilanaProvider. Every option is optional and falls back to the default value shown. For an introduction to privacy controls and usage examples, see the Privacy Controls guide.

privacy.blockClass

string | RegExp

default:"milana-block"

Elements with this CSS class are blocked — their content is replaced with a blank placeholder and never sent to Milana. Accepts a plain string class name or a regular expression to match multiple classes.

privacy.blockSelector

string | null

default:"null"

A CSS selector that identifies additional elements to block. Use this alongside blockClass for elements you cannot annotate with a class, for example third-party widgets: '[data-private], .stripe-payment-form'.

privacy.ignoreClass

string

default:"milana-ignore"

Elements with this class are not interacted with in the recording. Mouse events and keyboard input on these elements are omitted.

privacy.ignoreSelector

string | null

default:"null"

A CSS selector that identifies additional elements to ignore for interaction recording.

privacy.maskTextClass

string

default:"milana-mask"

Text content inside elements with this class is replaced with * characters of the same length in the recording.

privacy.maskInputClass

string

default:"milana-mask"

Input values inside elements with this class (or any ancestor with this class) are masked. Applies to <input>, <select>, <textarea>, and <option> elements.

privacy.maskInputTypes

object

A map of input[type] values to mask by default, regardless of class. The built-in defaults are merged with any values you provide — you cannot remove the defaults from the list, only add to it.Default masked input types:

Input type	Masked by default
`password`	Yes
`tel`	Yes
`email`	Yes

To also mask number fields:

maskInputTypes: {
  number: true
}

privacy.shouldTrackQueryParams

boolean

default:"true"

Whether URL query parameters are recorded when the user navigates. Set to false to strip all query strings from recorded URLs entirely.

privacy.queryTrackingParamsDenyList

RegExp[]

default:"[]"

Additional patterns to redact from recorded URLs. The value of any matching query parameter is replaced with --redacted-- in the recording.These patterns extend the built-in denylist — they do not replace it. The built-in denylist redacts the following parameter names by default:

Pattern	Matches
`/^jwt$/i`	`jwt`
`/^code$/i`	`code`
`/token/i`	any param containing `token`
`/password/i`	any param containing `password`
`/secret/i`	any param containing `secret`
`/key/i`	any param containing `key`
`/auth/i`	any param containing `auth`
`/nonce/i`	any param containing `nonce`
`/csrf/i`	any param containing `csrf`

To add your own patterns:

queryTrackingParamsDenyList: [
  /^session_id$/i,
  /^invite_token$/i
]

Documentation Index