From 76a6d85e50af6fdfd7b38fff11dafd0f4c1b8a6e Mon Sep 17 00:00:00 2001
From: Alexander Pantiukhov <alex@apantiukhov.com>
Date: Tue, 16 Jun 2026 11:45:18 +0200
Subject: [PATCH 1/2] docs(react-native): Document Session Replay network
 details options

Add a Network Details section to the React Native Session Replay docs,
covering the new `networkDetailAllowUrls`, `networkDetailDenyUrls`,
`networkCaptureBodies`, `networkRequestHeaders` and
`networkResponseHeaders` options on `mobileReplayIntegration`.

Mirrors the structure of the existing Apple and Android Session
Replay configuration pages (allow/deny list, defaults, header opt-in,
body capture opt-in, 150 KB cap, server-side scrubbing note) and
calls out the React Native-specific constraints \u2014 XHR-only support
for now (covers axios), authorization-like headers always stripped,\n`UNPARSEABLE_BODY_TYPE` for binary bodies.

Related: getsentry/sentry-react-native#6288
---
 .../react-native/session-replay/index.mdx     | 88 +++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/docs/platforms/react-native/session-replay/index.mdx b/docs/platforms/react-native/session-replay/index.mdx
index dd4e3f7b8bbe58..53b2f3be637dfa 100644
--- a/docs/platforms/react-native/session-replay/index.mdx
+++ b/docs/platforms/react-native/session-replay/index.mdx
@@ -214,6 +214,94 @@ integrations: [
 ]
 ```
 
+## Network Details
+
+_Available in React Native SDK 8.15.0 and later_
+
+By default, Replay captures basic information about all outgoing HTTP requests in your application &mdash; URL, request and response body sizes, method, and status code. To limit the chance of collecting private data, request/response **headers** and **bodies** are _not_ captured unless you explicitly opt in.
+
+You opt in by listing the URLs you want enriched in `networkDetailAllowUrls`. Pick only URLs that are safe for capturing bodies and avoid any endpoints that may contain Personally Identifiable Information (PII).
+
+<Alert>
+
+Body and header content will be PII-sanitized server-side, based on object keys and values. Refer to [Server-Side Scrubbing](/security-legal-pii/scrubbing/server-side-scrubbing/) for more details.
+
+</Alert>
+
+<Alert level="warning">
+
+Only **XHR**-based requests are currently supported (this covers `axios` and most popular HTTP clients on React Native). Native `fetch` body capture will be added in a follow-up.
+
+</Alert>
+
+The SDK exposes the following options on `mobileReplayIntegration`:
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| `networkDetailAllowUrls` | `(string \| RegExp)[]` | `[]` | URL patterns to enable capture of request/response headers (and bodies, when `networkCaptureBodies` is `true`). String patterns use substring matching; `RegExp` is matched via `.test(url)`. |
+| `networkDetailDenyUrls` | `(string \| RegExp)[]` | `[]` | URL patterns to **never** enable capture for, even if an allow pattern matches them. |
+| `networkCaptureBodies` | `boolean` | `false` | Controls whether request and response bodies are captured for allow-listed URLs. Disabled by default since bodies can contain sensitive payloads &mdash; opt in explicitly. |
+| `networkRequestHeaders` | `string[]` | `[]` | Additional request header names to capture for allow-listed URLs, in addition to the defaults (`Content-Type`, `Content-Length`, `Accept`). |
+| `networkResponseHeaders` | `string[]` | `[]` | Additional response header names to capture for allow-listed URLs, in addition to the defaults (`Content-Type`, `Content-Length`, `Accept`). |
+
+Any URL matching the given pattern(s) will be enriched with headers and (optionally) bodies:
+
+```javascript {tabTitle:Mobile}
+import * as Sentry from "@sentry/react-native";
+
+Sentry.init({
+  dsn: "___PUBLIC_DSN___",
+  replaysSessionSampleRate: 1.0,
+  replaysOnErrorSampleRate: 1.0,
+  integrations: [
+    Sentry.mobileReplayIntegration({
+      networkDetailAllowUrls: ["https://api.example.com"],
+      networkCaptureBodies: true,
+    }),
+  ],
+});
+```
+
+String patterns use substring matching &mdash; any URL containing the string will match. For exact or more complex matches, pass a `RegExp`:
+
+```javascript {tabTitle:Mobile}
+integrations: [
+  Sentry.mobileReplayIntegration({
+    networkDetailAllowUrls: [
+      "api.example.com",                 // substring match
+      /^https:\/\/api\.example\.com\/.*/, // regex match
+    ],
+    networkDetailDenyUrls: [/\/auth\//],  // never capture details for auth endpoints
+    networkCaptureBodies: true,
+  }),
+]
+```
+
+Requests to a matching URL will include request and response bodies (when `networkCaptureBodies` is `true`) as well as the following default headers:
+
+- `Content-Type`
+- `Content-Length`
+- `Accept`
+
+To capture additional headers, configure `networkRequestHeaders` and `networkResponseHeaders`. The defaults are always included:
+
+```javascript {tabTitle:Mobile}
+integrations: [
+  Sentry.mobileReplayIntegration({
+    networkDetailAllowUrls: ["https://api.example.com"],
+    networkCaptureBodies: true,
+    networkRequestHeaders: ["Cache-Control", "X-My-Header"],
+    networkResponseHeaders: ["Referrer-Policy", "X-Response-Header"],
+  }),
+]
+```
+
+<Alert>
+
+Authorization-like headers (`Authorization`, `Cookie`, `Set-Cookie`, `X-API-Key`, `X-Auth-Token`, `Proxy-Authorization`) are always stripped, regardless of configuration. Captured bodies are truncated to ~150 KB; truncated payloads include a `MAX_BODY_SIZE_EXCEEDED` warning. Binary bodies (`Blob`, `ArrayBuffer`, typed arrays) are skipped with an `UNPARSEABLE_BODY_TYPE` warning instead of being inlined.
+
+</Alert>
+
 ## React Component Names
 
 Sentry helps you capture your React components and unlock additional insights in your application. You can set it up to use React component names.

From a3ca5e7a2eb528e6f452f70f2bc418102ccf8b21 Mon Sep 17 00:00:00 2001
From: Alex Krawiec <alex.krawiec@sentry.io>
Date: Tue, 16 Jun 2026 14:35:35 -0700
Subject: [PATCH 2/2] fix(typos): Allowlist UNPARSEABLE_BODY_TYPE SDK constant

The React Native Session Replay SDK emits `UNPARSEABLE_BODY_TYPE` as a
warning identifier, which gets referenced verbatim in the new network
details docs on this branch. The typos linter (v1.47.2) flags
`UNPARSEABLE` and prefers `UNPARSABLE`, but the constant name is fixed
by the SDK and the docs must match.

Allowlist the constant and its `UNPARSEABLE` substring in `_typos.toml`,
mirroring the existing `MIGRATED_GETTING_STARTD_DOCS`/`STARTD` pattern
that handles the same situation for an external Sentry backend constant.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 _typos.toml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/_typos.toml b/_typos.toml
index 6c476e05e4e9de..7fc8c07de024a0 100644
--- a/_typos.toml
+++ b/_typos.toml
@@ -77,3 +77,5 @@ aso = "aso"                             # Intentional variable name in utils.ts
 MIGRATED_GETTING_STARTD_DOCS = "MIGRATED_GETTING_STARTD_DOCS" # Matches actual constant in Sentry backend (external)
 STARTD = "STARTD"                       # Part of MIGRATED_GETTING_STARTD_DOCS - needed because typos parses words in markdown text
 ERRO = "ERRO"                           # Special case - Part of "ERRORs" in legacy-sdk/integrations.mdx (logging level context)
+UNPARSEABLE_BODY_TYPE = "UNPARSEABLE_BODY_TYPE" # Constant emitted by React Native Session Replay SDK
+UNPARSEABLE = "UNPARSEABLE"             # Part of UNPARSEABLE_BODY_TYPE - needed because typos parses words in markdown text