[cl0rkster]

I'm not sure that logrocket belongs on such a "security" checklist. While I understand the value that they propose to offer, I'm not sure that wholesale recording your users' sessions and then sending them to a third-party server for storage and retrieval really meshes with my idea of security - especially if the site contains PII. I fully understand that you can intentionally do work to hide that information from logrocket, but that is putting a lot of trust in both devs and in logrocket to get that one right.

While there may be such a tool, I'm not aware of something like this that runs as a first party script and uses local storage. It would indeed be very useful to escape the logs->screenshots->can't reproduce cycle mentioned.

[benthehenten]

I'm on the LogRocket team.

Your concern is fair, though many modern analytics tools can capture PII if not properly configured. It is important when using any such tools, including LogRocket, that developers understand the scope of the data collected and properly censor things like SSN, Credit Cards, or health data.

Some of our more security-conscious customers also just run LogRocket on their own servers with our self-hosted version. In this case, the script becomes first party, and they can configure behavior where no data leaves the client unless a user specifically gives permission.

[cl0rkster]

That is awesome to hear that there is a self-hosted version. I was reading through your docs hoping to find something like that. Is there somewhere on your site that I missed which gives more details about this?

[benthehenten]

So far, we've worked with a few larger customers to run LogRocket on their own infrastructure (or their own AWS environment in some cases), but we haven't publicized the specifics yet.

If you shoot me an email (ben at logrocket) I'd be happy to discuss in more detail :)