sentry-security-basics
Configure Sentry security settings and data protection. Use when setting up data scrubbing, managing sensitive data, or configuring security policies. Trigger with phrases like "sentry security", "sentry PII", "sentry data scrubbing", "secure sentry".
Install
mkdir -p .claude/skills/sentry-security-basics && curl -L -o skill.zip "https://mcp.directory/api/skills/download/8965" && unzip -o skill.zip -d .claude/skills/sentry-security-basics && rm skill.zipInstalls to .claude/skills/sentry-security-basics
About this skill
Sentry Security Basics
Overview
Configure Sentry's security posture: PII scrubbing with beforeSend, built-in data scrubbing, IP anonymization, browser SDK URL filtering, DSN vs auth token handling, CSP reporting, and GDPR data deletion. Covers both client-side (SDK) and server-side (dashboard) controls.
Prerequisites
- Sentry project created with Owner or Admin role
@sentry/node>= 8.x or@sentry/browser>= 8.x installed (orsentry-sdk>= 2.x for Python)- Compliance requirements identified (GDPR, SOC 2, HIPAA, CCPA)
- List of sensitive data patterns for your domain (PII fields, API keys, tokens)
Instructions
Step 1 — Understand DSN vs Auth Token Security
The DSN (Data Source Name) is a client-facing identifier — it tells the SDK where to send events. It is NOT a secret.
https://<public-key>@o<org-id>.ingest.us.sentry.io/<project-id>
- The DSN cannot read data, delete events, or modify settings
- It is safe to ship in client-side JavaScript bundles
- Restrict abuse via Allowed Domains (Project Settings > Client Keys > Configure)
Auth tokens ARE secrets — they grant API access to read/write/delete data:
# NEVER commit auth tokens — store in CI secrets or vault
# GitHub Actions: Settings > Secrets > SENTRY_AUTH_TOKEN
# GitLab CI: Settings > CI/CD > Variables (protected + masked)
# Generate tokens with MINIMAL scopes:
# CI releases: project:releases, org:read
# Issue triage: project:read, event:read
# NEVER: org:admin, member:admin in CI
# Rotate tokens quarterly — revoke unused tokens immediately
# Create separate tokens per pipeline (staging vs production)
Step 2 — Disable Default PII Collection
sendDefaultPii defaults to false — but always set it explicitly so intent is clear:
import * as Sentry from '@sentry/node';
Sentry.init({
dsn: process.env.SENTRY_DSN,
sendDefaultPii: false, // explicit: no IPs, no cookies, no user-agent
});
When sendDefaultPii: false (default):
- No IP addresses attached to events
- No cookies sent in request data
- No user-agent strings in request headers
- No request body data captured
- User context must be set manually via
Sentry.setUser()
# Python equivalent
import sentry_sdk
sentry_sdk.init(
dsn=os.environ["SENTRY_DSN"],
send_default_pii=False, # default, but be explicit
)
Step 3 — Client-Side PII Scrubbing with beforeSend
beforeSend runs before every event leaves the client. Use it to strip PII that leaks into error messages, request data, or breadcrumbs:
Sentry.init({
dsn: process.env.SENTRY_DSN,
sendDefaultPii: false,
beforeSend(event, hint) {
// --- Scrub sensitive headers ---
if (event.request?.headers) {
delete event.request.headers['Authorization'];
delete event.request.headers['Cookie'];
delete event.request.headers['X-Api-Key'];
delete event.request.headers['X-Auth-Token'];
}
// --- Scrub request body fields ---
if (event.request?.data) {
try {
const data = typeof event.request.data === 'string'
? JSON.parse(event.request.data)
: { ...event.request.data };
const sensitiveKeys = [
'password', 'passwd', 'secret', 'token',
'ssn', 'credit_card', 'card_number', 'cvv',
'api_key', 'apiKey', 'access_token', 'refresh_token',
];
for (const key of Object.keys(data)) {
if (sensitiveKeys.some(s => key.toLowerCase().includes(s))) {
data[key] = '[REDACTED]';
}
}
event.request.data = JSON.stringify(data);
} catch {
// non-JSON body — leave as-is
}
}
// --- Scrub PII from exception messages ---
if (event.exception?.values) {
for (const exc of event.exception.values) {
if (exc.value) {
// Email addresses
exc.value = exc.value.replace(
/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
'[EMAIL_REDACTED]'
);
// IPv4 addresses
exc.value = exc.value.replace(
/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
'[IP_REDACTED]'
);
// Credit card numbers (with optional separators)
exc.value = exc.value.replace(
/\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/g,
'[CC_REDACTED]'
);
// Bearer tokens in messages
exc.value = exc.value.replace(
/Bearer\s+[A-Za-z0-9\-._~+/]+=*/g,
'Bearer [TOKEN_REDACTED]'
);
}
}
}
// --- Scrub user context ---
if (event.user) {
delete event.user.email;
delete event.user.ip_address;
// Keep event.user.id for issue grouping (non-PII identifier)
}
return event;
},
});
Python equivalent using before_send:
import re
def before_send(event, hint):
# Scrub emails from exception messages
if 'exception' in event:
for exc in event['exception'].get('values', []):
if exc.get('value'):
exc['value'] = re.sub(
r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}',
'[EMAIL_REDACTED]',
exc['value']
)
exc['value'] = re.sub(
r'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b',
'[IP_REDACTED]',
exc['value']
)
# Strip user PII
if 'user' in event:
event['user'].pop('email', None)
event['user'].pop('ip_address', None)
# Scrub request headers
request = event.get('request', {})
headers = request.get('headers', {})
for key in ['Authorization', 'Cookie', 'X-Api-Key']:
headers.pop(key, None)
return event
sentry_sdk.init(
dsn=os.environ["SENTRY_DSN"],
send_default_pii=False,
before_send=before_send,
)
Step 4 — Server-Side Data Scrubbing Rules
Configure in Project Settings > Security & Privacy:
| Setting | What it does |
|---|---|
| Data Scrubber | Auto-scrubs fields matching common PII patterns (enabled by default) |
| Sensitive Fields | Custom field names to always scrub: password, ssn, credit_card_number, api_key, secret, token, authorization |
| Safe Fields | Fields excluded from scrubbing (e.g., transaction_id, correlation_id) |
| Scrub IP Addresses | Removes or zeroes IP addresses on all events |
| Scrub Credit Cards | Detects and removes card number patterns |
Organization-wide defaults: Organization Settings > Security & Privacy applies to all projects unless overridden at project level.
Advanced scrubbing rules (regex-based) can target specific event paths:
# Example server-side rules (configure in UI):
# Pattern: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}
# Target: $message, $error.value, $extra.**
# Action: Replace with [Filtered]
# Pattern: \b\d{3}-\d{2}-\d{4}\b
# Target: $extra.**, $contexts.**
# Action: Replace with [Filtered] (SSN pattern)
Step 5 — Browser SDK URL Filtering
Use denyUrls and allowUrls to control which scripts generate captured errors:
Sentry.init({
dsn: process.env.SENTRY_DSN,
// Ignore errors from third-party scripts
denyUrls: [
/extensions\//i, // Browser extensions
/^chrome:\/\//i, // Chrome internal
/^chrome-extension:\/\//i, // Chrome extensions
/^moz-extension:\/\//i, // Firefox extensions
/graph\.facebook\.com/i, // Facebook SDK
/connect\.facebook\.net/i, // Facebook SDK
/cdn\.jsdelivr\.net/i, // CDN-hosted third-party
],
// Only capture errors from your own code
allowUrls: [
/https?:\/\/(www\.)?example\.com/i,
/https?:\/\/staging\.example\.com/i,
],
});
Also configure Allowed Domains in Project Settings > Client Keys (DSN) > Configure to prevent unauthorized origins from sending events to your DSN:
example.com
*.example.com
staging.example.com
Step 6 — CSP Reporting via Sentry
Sentry can ingest Content-Security-Policy violation reports. Use the Security Headers endpoint (not the main DSN):
# Find the report URI in Project Settings > Security Headers
# Format: https://o<org-id>.ingest.us.sentry.io/api/<project-id>/security/?sentry_key=<public-key>
Add to your CSP header:
Content-Security-Policy: default-src 'self'; script-src 'self'; report-uri https://o123456.ingest.us.sentry.io/api/789/security/?sentry_key=abc123
Or use the newer report-to directive:
Report-To: {"group":"sentry","max_age":86400,"endpoints":[{"url":"https://o123456.ingest.us.sentry.io/api/789/security/?sentry_key=abc123"}]}
Content-Security-Policy: default-src 'self'; report-to sentry
Step 7 — GDPR Data Deletion
Sentry supports right-to-erasure requests via API:
# Delete a specific issue and all its events
curl -X DELETE \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/projects/$SENTRY_ORG/$SENTRY_PROJECT/issues/$ISSUE_ID/"
# Delete events by tag (find issues for a specific user first)
curl -H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/projects/$SENTRY_ORG/$SENTRY_PROJECT/issues/?query=user.id:$USER_ID" \
| jq '.[].id' \
| xargs -I{} curl -X DELETE \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
"https://sentry.io/api/0/projects/$SENTRY_ORG/$SENTRY_PROJECT/issues/{}/"
For bulk deletion, use Organization Settings > Data Privacy > Data Removal Requests (Business/Enterprise plans).
Data retention settings: Organization Settings > Subscription > Event Retention — configure 30/60/90-day retention windows to auto-purge old data.
Step 8 — Auth Token Hygiene Checklist
# Scan codebase for leaked auth tokens
grep -rn "sntrys_" --include="*.ts" --include="*.js" --include="*.py" \
---
*Content truncated.*
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
pdf-to-markdown
aliceisjustplaying
Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.
Related MCP Servers
Browse all servers
Kash.clickKash.click — Intégration complète avec le POS français pour gérer ventes, catalogue produits, clients et paramètres bout
GitHubExtend your developer tools with GitHub MCP Server for advanced automation, supporting GitHub Student and student packag
RepomixOptimize your codebase for AI with Repomix—transform, compress, and secure repos for easier analysis with modern AI tool
Google GenAI ToolboxGoogle GenAI Toolbox: open-source GenAI database agent and AI database connector for Google Cloud database—query Cloud S
NotionEnhance productivity with AI-driven Notion automation. Leverage the Notion API for secure, automated workspace managemen
SlackPowerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.