Post request body is sent by default

[andreasnij]

It seems that some time between the release of 2.0 and now the Sentry client started to send post data by default. That is quite a major change, since this risk sending sensitive data to the Sentry servers. I understand the some people might want this, but why is it the default? I can't find any mention of this in the documentation or how to turn it off.

By digging through the code I discovered that this was probably introduced in #807 and that it can be turned off by setting the option 'max_request_body_size' => 'none'. In times of GDPR and frequent data leaks I really think this should be the default.

[ste93cry]

I can't find any mention if this in the documentation or how to turn it off.

The link in the comment I posted some time ago in #807 doesn't work anymore, but the comment from @HazAT said that the docs had to be updated. It may be that it hasn't been done, however I tend to agree that request data can contain sensitive information and should not be sent by default under any circumstance

[HazAT]

It's true that POST Body can contain sensitive data.
By default, our SDK doesn't send and sensitive data that is most likely to contain sensitive data like, cookies, ip address, auth headers.
This can be enabled by setting 'send_default_pii' => true.
That this part about max_request_body_size missing in the docs is a "bug" that we will fix to make it more clear.

That it wasn't part of the initial 2.0 was just a timing issue, it was planned to ship with 2.0.
Hope this explains the situation.

Edit: getsentry/sentry-docs#1281