Session Replay

Learn how TellBack records user interactions using DOM mutation streams, configure privacy masking modes, and manage recording caps.

Last updated:

Session replay allows you to reconstruct a visual playback of user sessions. Instead of recording heavy video files, TellBack streams lightweight DOM mutations to recreate high-fidelity streams inside your dashboard.


How Replay Works

TellBack utilizes the open-source rrweb recording suite.

  • DOM Event Replay: The script watches the webpage's Document Object Model (DOM) for alterations (mutations, style additions, mouse movements, scrolling, click focus) and serializes them.
  • Lightweight Streaming: These mutation events are queued locally and flushed periodically in compressed JSON chunks.
  • Replay Player: The dashboard compiles these JSON chunks and reconstructs the user's interface state dynamically inside a sandboxed player frame. No raw video files (like MP4 or WebM) are ever captured, rendered, or stored on your servers.

Max Recording Duration Cap

Replay recording is capped by the configured maximum recording duration (which defaults to 15 minutes). When the cap is reached, replay recording stops, while broader session behavior follows the normal session lifecycle.

This cap protects client resource utilization, keeps network upload sizes predictable, and aligns with workspace storage allocations.


Replay Masking Modes

To protect visitor privacy, TellBack lets you toggle between three distinct Replay Masking Modes in your dashboard settings (Settings > Sites > Replay Config):

1. strict

  • Behavior: The script masks all visible text on the webpage.
  • Implementation: Tells rrweb to match * for text masking. Every text element inside the DOM is automatically replaced with ••• symbols during serialization, ensuring that no document content is captured.

2. balanced (Default)

  • Behavior: Selectively redacts common PII (Personally Identifiable Information) patterns while preserving the readability of general content layout headers and buttons.
  • Redaction Patterns: The client-side sanitizer parses DOM events and replaces the following regex matches with placeholder strings:
    • Emails (***@***.***)
    • Payment Cards (13 to 16 digits replaced with masked credit card blocks)
    • Phone Numbers (***-***-****)
    • JWT Tokens (JWT_TOKEN_REDACTED)
    • Long Hex Tokens / API keys (32+ characters)
    • Base64 secrets / encoded keys (40+ characters)
  • Scope: Sanitizer matches apply to textContent, input values, placeholders, titles, image alt attributes, and aria-label labels.

3. relaxed

  • Behavior: Disables custom regex text redactions, capturing layout text fields exactly as they appear to the user.
  • Input Security: Standard input field masking remains active. All interactive input, textarea, and select tag values are masked to prevent capturing user forms.

Input Field Masking (Active in All Modes)

Regardless of the selected masking mode, standard form protection remains strictly enforced:

  • All interactive inputs (input, textarea, select) have maskAllInputs set to true, preventing raw typing logs.
  • Sensitive elements (passwords, files, contenteditables) and custom containers matching .tellback-block are blocked from DOM capture entirely, displaying as empty placeholders.

Privacy Responsibility
Site owners are responsible for providing appropriate visitor notices and obtaining any required consent for feedback collection, pageview tracking, session context, replay, audio, screenshots, and AI processing.