# Masking Sensitive Data

Wallarm provides the **Mask sensitive data** [rules](https://docs.wallarm.com/user-guides/rules/rules.md) to configure data masking for sensitive data not to leak outside the trusted environment. These rules cut the original value of the specified request point before sending the request to the postanalytics module and Wallarm Cloud. This article describes how to use these rules.

## Overview

In the [hybrid](https://docs.wallarm.com/about-wallarm/shared-responsibility.md#overview) Wallarm installations, when you manage the Wallarm filtering nodes in your infrastructure, and Wallarm manages the Wallarm Cloud component, it is crucial that sensitive data in your requests remains secure within your infrastructure and is not transmitted to any third-party service including [Wallarm Cloud](https://docs.wallarm.com/about-wallarm/overview.md#how-wallarm-works).

This goal is achieved using the [shared responsibility model](https://docs.wallarm.com/about-wallarm/shared-responsibility.md): from its side, Wallarm never transmits data excessing the protection goal and stores all the obtained data [securely](https://docs.wallarm.com/about-wallarm/shared-responsibility.md#client-data-storage-in-cloud) - to your side, Wallarm transfers a full visibility of what data is sent from node to Cloud and a [set of tools](https://docs.wallarm.com/admin-en/export-to-cloud.md) to shape this transfer under your needs - masking of sensitive data is one of these tools.

!!! info "Other deployment forms"
    In **security edge** [installations](https://docs.wallarm.com/about-wallarm/shared-responsibility.md#overview), data is outside your security perimeter; you can still use masking rules to restrict access to the sensitive data by the users of Wallarm Console.

## Side effects

Consider that using **Mask sensitive data** rules can affect:

* The display of [attacks](https://docs.wallarm.com/user-guides/events/check-attack.md) 
* The [enumeration attack protection](https://docs.wallarm.com/api-protection/enumeration-attack-protection.md)
* The API Sessions [grouping](https://docs.wallarm.com/api-sessions/setup.md#session-grouping) and [display of context parameters](https://docs.wallarm.com/api-sessions/setup.md#extra-parameters)

## Creating and applying rule

To set and apply data mask:

1. Proceed to Wallarm Console:

    * **Rules WAF** → **Add rule** or your branch → **Add rule**.
    * **Attacks** / **Incidents** → attack/incident → hit → **Rule**.
    * **API Discovery** (if [enabled](https://docs.wallarm.com/api-discovery/setup.md)) → your endpoint → **Create rule**.
1. Choose **Change requests/responses** → **Mask sensitive data**.
1. In **If request is**, [describe](https://docs.wallarm.com/user-guides/rules/rules.md#configuring) the scope to apply the rule to.
1. In **In this part of request**, specify [request points](https://docs.wallarm.com/user-guides/rules/request-processing.md) for which its original value should be cut.
1. Wait for the [rule compilation and uploading to the filtering node to complete](https://docs.wallarm.com/user-guides/rules/rules.md#ruleset-lifecycle).

## Example: masking of a cookie value

Let us say your application accessible at the `example.com` domain uses the `PHPSESSID` cookie for user authentication and you want to deny access to this information for employees using Wallarm.

To do so, set the **Mask sensitive data** rule as displayed on the screenshot.

Note that options you add to **In this part of request** should go in a particular order to reflect in which order Wallarm will [apply parsers](https://docs.wallarm.com/user-guides/rules/request-processing.md) to read the required request element.
![Marking sensitive data](https://docs.wallarm.com/images/user-guides/rules/sensitive-data-rule.png)