Record network request/response bodies in Session Replay

[alwx]

📢 Type of change

• Bugfix
• New feature
• Enhancement
• Refactoring

📜 Description

Enrich Mobile Session Replay with HTTP request/response headers and bodies, surfacing them in the Replay network tab (in addition to the URL, method, status code and body sizes already captured).

The feature is opt-in: nothing extra is captured until you list URLs in networkDetailAllowUrls. Five new options are added on mobileReplayIntegration:

Option	Type	Default	Purpose
networkDetailAllowUrls	(string | RegExp)[]	[]	URLs to enrich with headers (and bodies, when networkCaptureBodies is on). Strings use substring match; regexes use .test(url).
networkDetailDenyUrls	(string | RegExp)[]	[]	URLs to never enrich, even if they match the allow list.
networkCaptureBodies	boolean	false	Opt in to capturing request/response bodies for allow-listed URLs.
networkRequestHeaders	string[]	[]	Extra request headers to capture, in addition to the defaults.
networkResponseHeaders	string[]	[]	Extra response headers to capture, in addition to the defaults.

Sentry.init({
  dsn: "___PUBLIC_DSN___",
  integrations: [
    Sentry.mobileReplayIntegration({
      networkDetailAllowUrls: ["api.example.com", /^https:\/\/cdn\./],
      networkDetailDenyUrls: [/\/auth\//],
      networkCaptureBodies: true,
      networkRequestHeaders: ["X-My-Header"],
      networkResponseHeaders: ["X-Response-Header"],
    }),
  ],
});

How it works

• JS layer (packages/core/src/js/replay/):
  • xhrUtils.ts registers a beforeAddBreadcrumb hook that enriches each xhr breadcrumb with request / response sides containing headers and optionally a serialized body.
  • networkUtils.ts handles URL allow/deny matching (regex lastIndex is reset on each call so global-flag patterns stay stateless; empty strings in the allow list are ignored), body serialization (strings, URLSearchParams, FormData, plain JSON, and primitives like 42 / true), and a 150 KB truncation cap that surfaces a MAX_BODY_SIZE_EXCEEDED warning. Binary payloads (Blob, ArrayBuffer, typed arrays) are recorded as a placeholder with an UNPARSEABLE_BODY_TYPE warning rather than serialized to "{}".
  • Headers are filtered against an allow list (Content-Type, Content-Length, Accept by default, plus user-supplied); authorization-like headers (Authorization, Cookie, Set-Cookie, X-API-Key, X-Auth-Token, Proxy-Authorization) are always stripped.
• Native layer (Android Java + iOS ObjC RNSentryReplayBreadcrumbConverter):
  • Forward the enriched request / response dicts to the native rrweb span event for Mobile Replay.
  • Strip the JS-internal _meta key before forwarding so the native replay SDKs only see fields they understand.
  • Numeric fields (start_timestamp, end_timestamp, status_code, request_body_size, response_body_size) accept any Number subtype on Android — the RN bridge can surface them as Long/Integer, which previously crashed (ClassCastException) or were silently dropped.

Scope and limitations

• XHR only for now. This covers axios and most popular HTTP clients on React Native. Native fetch body capture will be added in a follow-up.
• Bodies and headers are PII-scrubbed server-side; users should still be deliberate about which URLs they allow-list.

💡 Motivation and Context

Closes #4106 — long-standing request to inspect HTTP payloads in Mobile Session Replay alongside what the JS browser Replay SDK already exposes for fetch/XHR on the web.

Companion docs PR: getsentry/sentry-docs#18423.

💚 How did you test it?

• JS unit tests (packages/core/test/replay/xhrUtils.test.ts, 20 cases): allow/deny URL matching (string + regex, empty strings, regex lastIndex), header filtering (defaults + extras, deny-list always stripped), body serialization (string / URLSearchParams / FormData / object / number / boolean), binary body placeholders (Blob, ArrayBuffer, Uint8Array) producing UNPARSEABLE_BODY_TYPE with a synthetic placeholder body so warnings survive the native _meta strip, and the 150 KB truncation cap producing MAX_BODY_SIZE_EXCEEDED.
• Android native tests (RNSentryAndroidTester/.../RNSentryReplayBreadcrumbConverterTest.kt): network breadcrumb forwarding with _meta stripped from both sides, empty-after-strip sides dropped, and non-Double Number subtypes (Long/Integer) accepted for all five numeric fields.
• iOS native tests (RNSentryCocoaTester/.../RNSentryReplayBreadcrumbConverterTests.swift): equivalent coverage for the _meta strip and empty-after-strip cases.
• Manually verified end-to-end on a sample app: bodies + headers visible in the Replay network tab; binary bodies show the placeholder; sensitive headers (Authorization, Cookie) never appear regardless of configuration.

📝 Checklist

• I added tests to verify changes
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
  • Body / header capture is fully opt-in (empty default allow list + networkCaptureBodies: false by default); authorization-like headers are always stripped.
• I updated the docs if needed.
  • See companion PR: docs(react-native): Document Session Replay network details options sentry-docs#18423.
• I updated the wizard if needed.
• All tests passing
• No breaking changes

🔮 Next steps

• Add native fetch body capture (currently XHR only — covers axios but not raw fetch).

[github-actions]

Semver Impact of This PR

⚪ None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

• Record network request/response bodies in Session Replay by alwx in #6288

• chore(deps): bump tar from 7.5.11 to 7.5.16 by dependabot in #6293
• fix(ci): Update renamed @sentry-internal/* packages in JS updater script by antonis in #6294
• chore(deps): bump launch-editor from 2.11.1 to 2.14.1 by dependabot in #6291
• chore(deps-dev): bump @babel/core from 7.26.7 to 7.29.6 by dependabot in #6292
• fix(deps): Resolve shell-quote to >=1.8.4 (Dependabot RNSentryModule.captureEvent is ignoring environment #547) by antonis in #6286
• fix(ci): Support version catalog in android SDK version check by antonis in #6280
• test(e2e): Bump E2E tests to React Native 0.86.0 by antonis in #6268
• feat(android): Add nativeStackAndroid support to NativeLinkedErrors by lucas-zimerman in #6278
• chore(deps): bump ruby/setup-ruby from 1.310.0 to 1.313.0 by dependabot in #6282
• chore(deps): update Maestro to v2.6.1 by github-actions in #6277
• chore(deps): bump gradle/actions from 6.1.0 to 6.2.0 by dependabot in #6284
• chore(deps): bump getsentry/craft from 2.26.8 to 2.26.10 by dependabot in #6283
• chore(deps): bump getsentry/craft/.github/workflows/changelog-preview.yml from 2.26.8 to 2.26.10 by dependabot in #6281
• chore(deps): update Sentry Android Gradle Plugin to v6.11.0 by github-actions in #6275
• chore(deps): update Android SDK to v8.43.2 by github-actions in #6273
• chore(deps): bump joi from 17.13.3 to 17.13.4 by dependabot in #6279
• chore(deps): update Cocoa SDK to v9.17.1 by github-actions in #6272
• docs(replay): clarify fast renderer option docs by leohara in #6276
• feat(core): Warn when multiple versions of Sentry JS SDK are detected by antonis in #6269

---

_{🤖 This preview updates automatically when you update the PR.}

[alwx]

@cursor review

[antonis]

Overall LGTM! Added a few comments to consider. Let's also update the PR description for future reference.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0a1e41e. Configure here.}

[antonis]

LGTM 🚀
Just added the ready-to-merge label be be on the safe side since this is a big PR :)

[sentry]

📲 Install Builds

Android

🔗 App Name	App ID	Version	Configuration
Sentry RN	io.sentry.reactnative.sample	8.14.0 (91)	Release

⚙️ sentry-react-native Build Distribution Settings

[github-actions]

iOS (legacy) Performance metrics 🚀

	Plain	With Sentry	Diff
Startup time	3837.72 ms	1214.34 ms	-2623.38 ms
Size	5.15 MiB	6.69 MiB	1.54 MiB

Baseline results on branch: main

Startup times

Revision	Plain	With Sentry	Diff
5125c43+dirty	3846.45 ms	1221.12 ms	-2625.32 ms
8929511+dirty	1216.42 ms	1219.02 ms	2.60 ms
a3265b6+dirty	3826.31 ms	1207.87 ms	-2618.44 ms
c004dae+dirty	3850.32 ms	1227.79 ms	-2622.53 ms
9210ae6+dirty	3815.93 ms	1214.14 ms	-2601.79 ms
3d377b5+dirty	1218.48 ms	1219.51 ms	1.03 ms
853723c+dirty	3852.60 ms	1234.64 ms	-2617.96 ms
04207c4+dirty	1191.27 ms	1189.78 ms	-1.48 ms
4953e94+dirty	1212.06 ms	1214.83 ms	2.77 ms
0b5a379+dirty	3828.91 ms	1214.12 ms	-2614.79 ms

App size

Revision	Plain	With Sentry	Diff
5125c43+dirty	5.15 MiB	6.68 MiB	1.53 MiB
8929511+dirty	3.38 MiB	4.80 MiB	1.42 MiB
a3265b6+dirty	5.15 MiB	6.68 MiB	1.53 MiB
c004dae+dirty	5.15 MiB	6.67 MiB	1.51 MiB
9210ae6+dirty	5.15 MiB	6.68 MiB	1.53 MiB
3d377b5+dirty	3.38 MiB	4.76 MiB	1.38 MiB
853723c+dirty	5.15 MiB	6.69 MiB	1.53 MiB
04207c4+dirty	3.38 MiB	4.76 MiB	1.38 MiB
4953e94+dirty	3.38 MiB	4.73 MiB	1.35 MiB
0b5a379+dirty	5.15 MiB	6.70 MiB	1.54 MiB