Flip defaults for RequestData integration #10264
Description
The current RequestData integration defaults include sending cookies, data (request body), headers, query strings, and the URL (I assume this means path), in addition to user ID, user name, and email (the user fields are taken from req.user).
Since the request data integration is included by default we should rethink whether it makes sense to keep these defaults from a pii perspective.
Technically all of the fields can (and are likely to) include PII. I would suggest not capturing the following fields by default:
- cookies
- request body
- ip adress
- all of the user fields (the users can set it themselves with
Sentry.setUser()if they want to collect it)
Another way to look at it would be to say everything that may contain end-user input should not be included by default:
- request body
- query string
- url/path
- all of the user fields
The new default should be based on sendDefaultPii as commented here
We also need to update the docs accordingly: https://docs.sentry.io/platforms/javascript/guides/node/configuration/integrations/requestdata/#options