Hotjar suppresses all keystroke data by default, replacing text with asterisks("***"), quantity of orders/quantity field within shopping carts with "111", and date input fields as "01/01/1979". However, you can allow certain fields as long as they do not fall under our Allowing Restrictions.
Allowing input to show takes priority over on-page text suppression
If a text field that is allowed contains a number or email address, the text will be shown on Recordings, Heatmap, and Feedback screenshots even if on-page text suppression is turned on.
You can learn more about on-page text suppression in our Suppressing On-Page Text article.
To allow these elements and keystrokes, you will need to alter your site's HTML code and add the attribute data-hj-allow to them.
Data-hj-allow will not work recursively. This means that applying this attribute to a parent container will have no effect. You will need to apply this attribute to each individual field you wish to allow.
Apply the data-hj-allow attribute to your HTML.
<!--data-hj-allow can be appended as either an attribute or a class -->
<!-- Allow and record any keystroke data typed in input fields -->
<input name="code" type="text" data-hj-allow />
<input class="form-control data-hj-allow" name="quantity" type="text" />
<!-- Allow and record any keystroke data typed in textareas -->
<textarea name="comment" data-hj-allow></textarea>
<textarea class="form-control data-hj-allow" name="comment"></textarea> Allowing can only be applied to text input elements
The code above can only be added to form field elements like <input> or <textarea> tags. It will not work for <p> or <div> elements. Additionally, data-hj-allow is not supported for text that is encapsulated within a closed shadow root.
Go to your site list.
Select the gear icon for your site to open the Site Settings.
Uncheck the Suppress keystroke data on allowed input fields box to allow the data to be recorded.
Once you have followed both steps, the allowed fields you selected in your code will now be recorded as long as they are not included in our Allowing Restrictions mentioned in the section below.
A note about expected suppression behavior
While viewing Recordings, any unfilled text fields that are set to be suppressed will show 15-17 asterisk characters, even though the field is empty.
Allowing restrictions
Restrictions are in place which will prevent you from allowing fields with potentially sensitive personal information. These fields will always be suppressed by the Hotjar script, even if they are allowed.
Keystroke data will never be recorded or sent to our servers and is always suppressed for:
- Longer numbers, such as credit card and phone numbers: If a user enters 9 or more digits in sequence, Hotjar assumes that this is a Credit Card or Phone number so the data is suppressed. Although credit card numbers can be detected through an algorithm, we purposely chose to use a more basic method since an algorithm could fail to suppress a credit card number with an accidental typo.
- Email Addresses: If a user enters what appears to be an email address, the data is suppressed.
- Fields of a specific HTML Type: Any fields using one of the following HTML types - password, email
- Input fields with specific Names or IDs: Any input fields with an HTML Name or ID attribute equal to one of the following - username, name, firstname, surname, lastname, familyname, fullname, email, phone, ,cell, cellphone, telephone, tel, postcode, postalcode, zip, zipcode, mobile, address, ssn, security, securitynum, socialsec, socialsecuritynumber, socsec, ppsn, nationalinsurancenumber, nin, dob,dateofbirth, password, pass, adgangskode, authpw, contrasena, contrasenya, contrasinal, cyfrinair, contraseña, fjalëkalim, focalfaire, IP, creditcard, cc, ccnum, ccname, ccnumber, ccexpiry, ccexp, ccexpmonth, ccexpyear, cccvc, cccvv, cctype, cvc, cvv. For names and IDs, case and the symbols "-" and "_" are ignored.