Dashboard Privacy
On this page:
- Why we collect this
- When it's collected
- What is collected
- What is never collected
- Cookieless and cross-site identifier free
- How to disable
Why we collect this
MockServer is free, open source, and maintained for the whole community. We collect a little anonymous usage data for one reason: to understand how the dashboard is actually used so we can make it better for everyone.
Knowing which features people genuinely rely on — and which ones they never reach, or struggle to find — lets us spend our limited maintainer time where it does the most good. Concretely, this data helps us:
- Improve the most useful features — invest effort in the parts of the dashboard people use most, instead of guessing.
- Maximise usability — spot where users hit errors or abandon a workflow, so we can smooth out the rough edges.
- Avoid wasted work — retire or rethink features that aren't earning their keep, and prioritise the ones that deliver real value.
- Benefit every MockServer user — every improvement we make from this feedback ships back to the community in the next open source release.
This is deliberately a good-faith, minimal measurement: it is anonymous, cookieless, carries none of your mock or request data (see below), and exists purely to help us build a more useful tool for the people who depend on it. If you'd still rather not take part, disabling it takes one click and changes nothing about how MockServer works for you — see How to disable.
When it's collected
Analytics is off by default and only ever runs in the official, pre-configured distributions — never in a plain build and never in local development. It is active only when MockServer is run from:
- the official Docker images (docker-standard, docker-graaljs, docker-clustered),
- the official Helm chart deployment, or
- the official binary launcher bundles.
These artefacts are the only ones that ship with an analytics endpoint and key baked in. Everywhere else it stays completely inactive, with no events sent and no consent note shown:
- the plain downloadable JAR,
- any embedded / library / dependency use of MockServer,
- local development, tests, and CI.
Even in the distributions where it is active, it is measured purely from the dashboard UI in your browser — it has nothing to do with the mock or proxy traffic flowing through MockServer — and it still respects every opt-out signal (Do Not Track, Global Privacy Control, the dashboard Opt out button, or the operator master switch). A small, one-line note appears in the dashboard the first time analytics becomes active, so you are always told it is on and can opt out at any time.
What is collected
When an operator enables analytics (by supplying a self-hosted PostHog endpoint and key), the dashboard may send a small set of coarse, anonymous usage events. No free-text values from your mocks, requests, or environment are ever included.
The four event types are:
| Event | When sent | Properties carried |
|---|---|---|
| app_open | Once per page load, after all activation gates pass | App version, surface (browser or ide-embedded), colour theme (light / dark / system), artefact distribution label (docker-standard / docker-graaljs / docker-clustered / helm / binary / unknown) — set automatically by the official artefact, never by user input |
| view_change | Each time you switch dashboard tab | The tab name (e.g. traffic, composer, chaos) |
| feature_used | When you trigger a specific feature action | Feature name from a closed enumeration (e.g. expectation_created, chaos_started, load_run_started) and optionally a mode (quick or advanced) |
| error_shown | When the dashboard displays an error to you | A coarse category from a closed enumeration (load_failed, save_failed, connection_failed, validation_failed, unknown) — never an error message or stack trace |
What is never collected
The analytics module is structurally incapable of sending the following data. Every public function accepts only values from a closed, whitelisted set — there is no code path that accepts a free-text string and forwards it to the analytics backend.
- Request URLs, paths, query strings, or hostnames
- Request or response headers (including Authorization, Cookie, or any other credential)
- Request or response bodies
- Expectation JSON, mock configurations, or scenario state
- Server ports, IP addresses, or file paths
- Error messages or stack traces
- Any data from the mocked or proxied traffic passing through MockServer
Cookieless and cross-site identifier free
Analytics is initialised with PostHog's persistence: 'memory' option. This means:
- No cookies are set.
- No persistent identifier is written to localStorage or sessionStorage for tracking purposes.
- Each page load is independent — there is no mechanism to correlate sessions or track an individual across visits.
- PostHog autocapture and session recording are both disabled.
How to disable
There are three independent ways to disable analytics:
1. Operator: disable for the whole deployment
Set the dashboardAnalyticsEnabled configuration property to false. This is the authoritative master switch — when it is off, the analytics module never loads and the consent note is never shown, regardless of any other setting.
-Dmockserver.dashboardAnalyticsEnabled="false"
MOCKSERVER_DASHBOARD_ANALYTICS_ENABLED=false
Analytics is active only in the official Docker images (docker-standard, docker-graaljs, docker-clustered), Helm chart deployments, and the official binary launcher bundles — these artefacts have dashboardAnalyticsEndpoint and dashboardAnalyticsKey pre-configured. The plain downloadable JAR and any embedded / library / dependency use have both properties empty, so analytics is always inactive there regardless of any other setting.
2. Individual: opt out via the dashboard note
When analytics is active, a small one-line disclosure note appears in the dashboard on first use. Clicking Opt out records your choice in the browser's localStorage under the key mockserver.analytics.optOut, stops any in-flight PostHog capture immediately, and prevents analytics from running on any subsequent page load in that browser.
3. Individual: browser Do Not Track or Global Privacy Control
If your browser has Do Not Track (navigator.doNotTrack === '1') or Global Privacy Control (navigator.globalPrivacyControl === true) enabled, the analytics module detects this automatically during its activation check and becomes a permanent no-op for that page load — no events are sent and no note is shown.