Session Replay
Learn how TellBack records user interactions using DOM mutation streams, configure privacy masking modes, and manage recording caps.
Session replay allows you to reconstruct a visual playback of user sessions. Instead of recording heavy video files, TellBack streams lightweight DOM mutations to recreate high-fidelity streams inside your dashboard.
How Replay Works
TellBack utilizes the open-source rrweb recording suite.
- DOM Event Replay: The script watches the webpage's Document Object Model (DOM) for alterations (mutations, style additions, mouse movements, scrolling, click focus) and serializes them.
- Lightweight Streaming: These mutation events are queued locally and flushed periodically in compressed JSON chunks.
- Replay Player: The dashboard compiles these JSON chunks and reconstructs the user's interface state dynamically inside a sandboxed player frame. No raw video files (like MP4 or WebM) are ever captured, rendered, or stored on your servers.
Max Recording Duration Cap
Replay recording is capped by the configured maximum recording duration (which defaults to 15 minutes). When the cap is reached, replay recording stops, while broader session behavior follows the normal session lifecycle.
This cap protects client resource utilization, keeps network upload sizes predictable, and aligns with workspace storage allocations.
Replay Masking Modes
To protect visitor privacy, TellBack lets you toggle between three distinct Replay Masking Modes in your dashboard settings (Settings > Sites > Replay Config):
1. strict
- Behavior: The script masks all visible text on the webpage.
- Implementation: Tells
rrwebto match*for text masking. Every text element inside the DOM is automatically replaced with•••symbols during serialization, ensuring that no document content is captured.
2. balanced (Default)
- Behavior: Selectively redacts common PII (Personally Identifiable Information) patterns while preserving the readability of general content layout headers and buttons.
- Redaction Patterns: The client-side sanitizer parses DOM events and replaces the following regex matches with placeholder strings:
- Emails (
***@***.***) - Payment Cards (13 to 16 digits replaced with masked credit card blocks)
- Phone Numbers (
***-***-****) - JWT Tokens (
JWT_TOKEN_REDACTED) - Long Hex Tokens / API keys (32+ characters)
- Base64 secrets / encoded keys (40+ characters)
- Emails (
- Scope: Sanitizer matches apply to
textContent, input values, placeholders, titles, image alt attributes, andaria-labellabels.
3. relaxed
- Behavior: Disables custom regex text redactions, capturing layout text fields exactly as they appear to the user.
- Input Security: Standard input field masking remains active. All interactive
input,textarea, andselecttag values are masked to prevent capturing user forms.
Input Field Masking (Active in All Modes)
Regardless of the selected masking mode, standard form protection remains strictly enforced:
- All interactive inputs (
input,textarea,select) havemaskAllInputsset to true, preventing raw typing logs. - Sensitive elements (passwords, files, contenteditables) and custom containers matching
.tellback-blockare blocked from DOM capture entirely, displaying as empty placeholders.
Privacy Responsibility
Site owners are responsible for providing appropriate visitor notices and obtaining any required consent for feedback collection, pageview tracking, session context, replay, audio, screenshots, and AI processing.