I'm not sure that logrocket belongs on such a "security" checklist. While I understand the value that they propose to offer, I'm not sure that wholesale recording your users' sessions and then sending them to a third-party server for storage and retrieval really meshes with my idea of security - especially if the site contains PII. I fully understand that you can intentionally do work to hide that information from logrocket, but that is putting a lot of trust in both devs and in logrocket to get that one right.
While there may be such a tool, I'm not aware of something like this that runs as a first party script and uses local storage. It would indeed be very useful to escape the logs->screenshots->can't reproduce cycle mentioned.
Your concern is fair, though many modern analytics tools can capture PII if not properly configured. It is important when using any such tools, including LogRocket, that developers understand the scope of the data collected and properly censor things like SSN, Credit Cards, or health data.
Some of our more security-conscious customers also just run LogRocket on their own servers with our self-hosted version. In this case, the script becomes first party, and they can configure behavior where no data leaves the client unless a user specifically gives permission.
That is awesome to hear that there is a self-hosted version. I was reading through your docs hoping to find something like that. Is there somewhere on your site that I missed which gives more details about this?
So far, we've worked with a few larger customers to run LogRocket on their own infrastructure (or their own AWS environment in some cases), but we haven't publicized the specifics yet.
If you shoot me an email (ben at logrocket) I'd be happy to discuss in more detail :)
Proper full stack devs are rare, but they do exits, and they're worth their weight in gold to any company with under 50 staff. I've been 'full stack' my entire career but it takes a long time to actually become a competent full stack dev.
A proper full stack dev can make design and implementation decisions at all levels, while being able to visualise the affect of those changes over the entire system, in detail, at low level. They're also able to communicate these changes not only to a uber-low-level introverted developer, they're also able to sit with the CEO/CTO and rationalise their decision in terms of cost and savings.
And of course, they're able to drop anchor, exit the elevator at any level and get on the tools.
Not every company can afford to have a person dedicated to security. No full stack developer is a complete generalist -- everyone specializes naturally. The point is that they are comfortable doing a wide range of tasks. For some people that might make more sense.
While there may be such a tool, I'm not aware of something like this that runs as a first party script and uses local storage. It would indeed be very useful to escape the logs->screenshots->can't reproduce cycle mentioned.