Add options for disabling request body send, or remove by default

[bpicolo]

Summary

Sentry-go currently attached request bodies by default when middleware is used, which looks to have been added in #84 . Request bodies tend to include a variety of data that are covered both by internal security policies surrounding PII, as well as various legal frameworks, e.g. GDPR, CCPA.

I don't currently see a built-in option exposed for disabling this, other than custom event processors. Am I missing that option?

Otherwise, is this something that could/should be added?

Expected Behavior

A simple option to disable request body sending, as well as warnings in documentation, would be helpful in the client. Removing them by default is probably a secure-by-default ideal, but I realize many existing users probably depend on it, and expect it from a sentry client

Edit: I see now that SendDefaultPii is probably the modern sentry param for this: https://docs.sentry.io/error-reporting/configuration/?platform=go#send-default-pii

This request should probably be to support that, then?

[rhcarvalho]

@bpicolo thanks for reporting. I'm closing this as a duplicate of #175.

[rhcarvalho]

I don't currently see a built-in option exposed for disabling this, other than custom event processors. Am I missing that option?

The no-PII-by-default is something that has not been implemented yet for the Go SDK.

You are spot on on using an event processor or BeforeSend to alter events before they hit the network. Sentry also offers server-side data scrubbing, for more info please refer to

• https://docs.sentry.io/data-management/sensitive-data/#custom-event-processing-in-the-sdk
• https://docs.sentry.io/data-management/sensitive-data/#server-side-scrubbing