sentry-data-handling
Manage sensitive data properly in Sentry. Use when configuring PII scrubbing, data retention, GDPR compliance, or data security settings. Trigger with phrases like "sentry pii", "sentry gdpr", "sentry data privacy", "scrub sensitive data sentry".
Install
mkdir -p .claude/skills/sentry-data-handling && curl -L -o skill.zip "https://mcp.directory/api/skills/download/8963" && unzip -o skill.zip -d .claude/skills/sentry-data-handling && rm skill.zipInstalls to .claude/skills/sentry-data-handling
About this skill
Sentry Data Handling
Configure PII scrubbing, GDPR compliance, data retention, and audit controls for Sentry. This skill covers client-side filtering with beforeSend, server-side scrubbing rules, data subject erasure via API, and SOC 2 compliance patterns.
Overview
Sentry captures error context that often contains personally identifiable information (PII) — emails in stack traces, credit card numbers in request bodies, IP addresses in headers. Production deployments must scrub this data at two layers: client-side via beforeSend hooks (before data leaves the application) and server-side via Sentry's built-in Data Scrubber (defense in depth). GDPR requires additional controls: consent-based initialization, data subject deletion endpoints, and a signed Data Processing Agreement. This skill implements all three layers with TypeScript and Python examples, plus verification tests to prove scrubbing works end-to-end.
Prerequisites
- Sentry SDK v8 installed and initialized (
@sentry/nodeorsentry-sdk) - Sentry project with Admin or Owner role (required for Security & Privacy settings)
- Compliance requirements documented (GDPR, HIPAA, PCI-DSS, or SOC 2)
- Auth token with
project:writeandorg:adminscopes for API operations - Data Processing Agreement signed at https://sentry.io/legal/dpa/ (GDPR requirement)
Instructions
Step 1 — Client-Side PII Scrubbing with beforeSend
The first defense layer prevents PII from leaving your application. Configure beforeSend, beforeSendTransaction, and beforeBreadcrumb hooks during SDK initialization:
import * as Sentry from '@sentry/node';
Sentry.init({
dsn: process.env.SENTRY_DSN,
// CRITICAL: disable automatic PII collection
// When false, Sentry will NOT capture IP addresses, cookies, or user-agent
sendDefaultPii: false,
beforeSend(event) {
return scrubEvent(event);
},
beforeSendTransaction(event) {
return scrubEvent(event);
},
beforeBreadcrumb(breadcrumb) {
if (breadcrumb.data) {
const sensitiveKeys = ['password', 'token', 'secret', 'api_key', 'authorization'];
for (const key of sensitiveKeys) {
if (breadcrumb.data[key]) {
breadcrumb.data[key] = '[REDACTED]';
}
}
}
return breadcrumb;
},
});
Implement the scrubEvent function to strip PII from headers, request bodies, error messages, and user context:
function scrubEvent(event: Sentry.Event): Sentry.Event | null {
// Strip sensitive headers
if (event.request?.headers) {
const redactHeaders = ['Authorization', 'Cookie', 'X-Api-Key', 'X-Auth-Token'];
for (const header of redactHeaders) {
delete event.request.headers[header];
}
}
// Scrub request body fields
if (event.request?.data) {
const data = typeof event.request.data === 'string'
? safeJsonParse(event.request.data)
: event.request.data;
if (data && typeof data === 'object') {
scrubObject(data as Record<string, unknown>);
event.request.data = JSON.stringify(data);
}
}
// Scrub PII patterns from error messages
if (event.exception?.values) {
for (const exc of event.exception.values) {
if (exc.value) {
exc.value = scrubPiiPatterns(exc.value);
}
}
}
// Reduce user context to anonymous ID only
if (event.user) {
event.user = { id: event.user.id };
}
return event;
}
function scrubObject(obj: Record<string, unknown>): void {
const sensitiveKeys = [
'password', 'passwd', 'secret', 'token', 'api_key', 'apiKey',
'ssn', 'social_security', 'credit_card', 'cc_number', 'cvv',
'email', 'phone', 'address', 'dob', 'date_of_birth',
];
for (const key of Object.keys(obj)) {
if (sensitiveKeys.some(sk => key.toLowerCase().includes(sk))) {
obj[key] = '[REDACTED]';
} else if (typeof obj[key] === 'string') {
obj[key] = scrubPiiPatterns(obj[key] as string);
} else if (typeof obj[key] === 'object' && obj[key] !== null) {
scrubObject(obj[key] as Record<string, unknown>);
}
}
}
function scrubPiiPatterns(str: string): string {
return str
.replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, '[EMAIL]')
.replace(/\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{1,7}\b/g, '[CC_NUMBER]')
.replace(/\b\d{3}-\d{2}-\d{4}\b/g, '[SSN]')
.replace(/\b(\+1)?[\s-]?\(?\d{3}\)?[\s-]?\d{3}[\s-]?\d{4}\b/g, '[PHONE]');
}
function safeJsonParse(str: string): unknown {
try { return JSON.parse(str); } catch { return null; }
}
Python equivalent — use the same before_send pattern:
import sentry_sdk
import re
def scrub_event(event, hint):
"""Remove PII from Sentry events before transmission."""
# Strip sensitive headers
request = event.get("request", {})
headers = request.get("headers", {})
for key in ["Authorization", "Cookie", "X-Api-Key"]:
headers.pop(key, None)
# Scrub user context to anonymous ID
user = event.get("user")
if user:
event["user"] = {"id": user.get("id")}
# Scrub PII patterns from exception messages
for exc in event.get("exception", {}).get("values", []):
if exc.get("value"):
exc["value"] = re.sub(
r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}",
"[EMAIL]", exc["value"]
)
return event
sentry_sdk.init(
dsn=os.environ["SENTRY_DSN"],
send_default_pii=False,
before_send=scrub_event,
traces_sample_rate=0.1,
)
Step 2 — Server-Side Data Scrubbing and IP Anonymization
Server-side scrubbing acts as defense in depth. Configure in Project Settings > Security & Privacy:
- Enable Data Scrubber — automatically redacts values matching common PII field names (password, token, secret)
- Custom Sensitive Fields — add project-specific fields:
password,secret,token,api_key,ssn,credit_card,cvv,authorization
- Safe Fields — fields that must never be scrubbed:
transaction_id,order_id,request_id,trace_id
- Scrub IP Addresses — enable to remove client IPs from all events
- Scrub Credit Cards — detect and remove card number patterns
For advanced regex-based rules, navigate to Project Settings > Security & Privacy > Advanced Data Scrubbing:
# Remove credit card patterns from all string fields
[Remove] [Regex: \d{4}-\d{4}-\d{4}-\d{4}] from [$string]
# Remove email addresses everywhere
[Remove] [Regex: \b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b] from [$string]
# Remove SSN patterns
[Remove] [Regex: \b\d{3}-\d{2}-\d{4}\b] from [$string]
# Mask passwords in request bodies
[Mask] [Password] from [extra.request_body]
# Replace credit card data everywhere with placeholder
[Replace] [Credit card] with [REDACTED] from [**]
Data forwarding — if forwarding events to external systems (Splunk, BigQuery), apply the same scrubbing rules at the destination. Configure forwarding in Project Settings > Data Forwarding.
Data retention — configure in Organization Settings > Subscription > Data Retention:
| Plan | Default retention | Maximum retention |
|---|---|---|
| Developer | 30 days | 30 days |
| Team | 90 days | 90 days |
| Business | 90 days | 365 days |
| Enterprise | 90 days | Custom |
Step 3 — GDPR Compliance and Data Subject Requests
Right to be Informed — document Sentry usage in your privacy policy. Disclose what data is collected (stack traces, device info, anonymized user IDs) and the legal basis (legitimate interest in application reliability).
Consent-based initialization — for strict GDPR compliance, gate Sentry on user consent:
function initSentryWithConsent(hasConsent: boolean): void {
if (!hasConsent) {
// Do not initialize Sentry — no data sent
return;
}
Sentry.init({
dsn: process.env.SENTRY_DSN,
sendDefaultPii: false,
beforeSend: scrubEvent,
});
}
Right to Erasure (Article 17) — delete user data via the Sentry API:
# Delete all events for a specific issue
curl -X DELETE \
-H "Authorization: Bearer ${SENTRY_AUTH_TOKEN}" \
"https://sentry.io/api/0/projects/${SENTRY_ORG}/${SENTRY_PROJECT}/issues/${ISSUE_ID}/" \
|| { echo "ERROR: Deletion failed — verify auth token has project:admin scope"; exit 1; }
// Programmatic deletion for data subject requests
async function handleDeletionRequest(userId: string): Promise<void> {
const org = process.env.SENTRY_ORG;
const project = process.env.SENTRY_PROJECT;
const token = process.env.SENTRY_AUTH_TOKEN;
// Search for issues containing user data
const searchRes = await fetch(
`https://sentry.io/api/0/projects/${org}/${project}/issues/?query=user.id:${userId}`,
{ headers: { Authorization: `Bearer ${token}` } }
);
if (!searchRes.ok) {
throw new Error(`Search failed: ${searchRes.status} ${searchRes.statusText}`);
}
const issues = await searchRes.json();
// Delete each matching issue
for (const issue of issues) {
const deleteRes = await fetch(
`https://sentry.io/api/0/projects/${org}/${project}/issues/${issue.id}/`,
{ method: 'DELETE', headers: { Authorization: `Bearer ${token}` } }
);
if (!deleteRes.ok) {
throw new Error(`Deletion failed for issue ${issue.id}: ${deleteRes.status}`);
}
}
console.log(`Deleted ${issues.length} issues for user ${userId}`);
}
Audit log access — Business and Enterprise plans provide audit logs at Organization Settings > Audit Log. Export via API for SOC 2 evidence:
# Retrieve audit log entries (requires org:admin scope)
curl -H "Authorization: Bearer ${SENTRY_AUTH_TOKEN}" \
"https://sentry.io/api/0/organizations/${SENTRY_ORG}/audit-logs/" \
|| echo "ERROR: Audit logs require Business or Enterprise plan"
SOC 2 compliance checklist:
- Enable audit logging (Business/Enterprise plan required)
- Co
Content truncated.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
pdf-to-markdown
aliceisjustplaying
Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.
Related MCP Servers
Browse all servers
iExec MCP ServeriExec MCP Server — AI agents handle confidential computing, decentralized data governance, Web3Mail, and blockchain wall
PangeaPangea integrates AI and cyber security tools for threat intelligence, data protection, and advanced security analysis w
Knowledge Graph MemoryBuild persistent semantic networks for enterprise & engineering data management. Enable data persistence and memory acro
RepomixOptimize your codebase for AI with Repomix—transform, compress, and secure repos for easier analysis with modern AI tool
Desktop CommanderDesktop Commander MCP unifies code management with advanced source control, git, and svn support—streamlining developmen
XcodeBuild MCPBy Sentry. MCP server and CLI that provides tools for AI agents working on iOS and macOS Xcode projects. Build, test, li
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.