getsentry · antonpirker · Mar 28, 2023 · Mar 17, 2023 · Mar 28, 2023
diff --git a/src/platform-includes/configuration/event-scrubber/python.mdx b/src/platform-includes/configuration/event-scrubber/python.mdx
@@ -0,0 +1,27 @@
+If <PlatformIdentifier name="send-default-pii" /> is set to `False`, the default scrubber implementation will run automatically and filter anything in the [`denylist`](https://github.com/getsentry/sentry-python/blob/1.18.0/sentry_sdk/scrubber.py#L17-L58) from [potentially sensitive interfaces](/platforms/python/data-collected/) in the event payload.
+
+```python
+import sentry_sdk
+from sentry_sdk.scrubber import EventScrubber
+
+sentry_sdk.init(
+    # ...
+    send_default_pii=False,
+    event_scrubber=EventScrubber(),  # this is set by default
+)
+```
+
+You can also pass in a custom `denylist` to the `EventScrubber` class and filter additional fields that you want.
+
+```python
+from sentry_sdk.scrubber import EventScrubber, DEFAULT_DENYLIST
+
+# custom denylist
+denylist = DEFAULT_DENYLIST + ["my_sensitive_var"]
+
+sentry_sdk.init(
+    # ...
+    send_default_pii=False,
+    event_scrubber=EventScrubber(denylist=denylist),
+)
+```
diff --git a/src/platforms/common/configuration/options.mdx b/src/platforms/common/configuration/options.mdx
@@ -236,10 +236,18 @@ If you are using Sentry in your mobile app, read our [frequently asked questions
 
 </Note>
 
+This option is `off` by default.
+
 If you enable this option, be sure to manually remove what you don't want to send using our features for managing [_Sensitive Data_](../../data-management/sensitive-data/).
 
 </ConfigKey>
 
+<ConfigKey name="event-scrubber" supported={["python"]}>
+
+If <PlatformIdentifier name="send-default-pii" /> is `off`, scrubs the event payload for sensitive information from a `denylist`. See how to [configure the scrubber here](../../data-management/sensitive-data/#event-scrubber).
+
+</ConfigKey>
+
 <ConfigKey name="server-name" supported={["python", "node", "ruby", "php", "java", "dart", "dotnet"]} notSupported={["android"]}>
 
 This option can be used to supply a "server name." When provided, the name of the server is sent along and persisted in the event. For many integrations, the server name actually corresponds to the device hostname, even in situations where the machine is not actually a server.

diff --git a/src/platforms/common/data-management/sensitive-data/index.mdx b/src/platforms/common/data-management/sensitive-data/index.mdx
@@ -49,6 +49,18 @@ If you _do not_ wish to use the default PII behavior, you can also choose to ide
 
 ## Scrubbing Data
 
+<PlatformSection supported={["python"]}>
+
+### `event_scrubber`
+
+You can use the <PlatformIdentifier name="event-scrubber" /> configuration parameter to simplify removing sensitive data from your event payload.
+
+<PlatformContent includePath="configuration/event-scrubber" />
+
+</PlatformSection>
+
+### `before_send`
+
 SDKs provide a <PlatformIdentifier name="before-send" /> hook, which is invoked before an error or message event is sent and can be used to modify event data to remove sensitive information. Some SDKs also provide a <PlatformIdentifier name="before-send-transaction" /> hook which does the same thing for transactions. We recommend using <PlatformIdentifier name="before-send" /> and <PlatformIdentifier name="before-send-transaction" /> in the SDKs to **scrub any data before it is sent**, to ensure that sensitive data never leaves the local environment.
 
 <PlatformContent includePath="configuration/before-send" />