Hide Personally Identifiable Information
You must configure a set of explicit rules to prevent Personally Identifiable Information (PII) from being displayed in your data.
The default Application Performance Monitoring rules hide PII in URLs by recognizing monetary values, bank-account numbers, and dates. However, the default rules only catch obvious PII and are not exhaustive. You must evaluate the default rules and further configure rules to ensure correct reporting in your environment and ensure that PII is not displayed in your data.
Checking PII information
The PII information check is performed on query parameters and parts of the URL. By default, the document title is not captured.
When the trackScreenText
setting is enabled, the document title and text
related to the element clicked is captured and reported. These could contain sensitive
data.
To reduce the impact of capturing undesired data, it is possible to configure attribute
functions to capture only desired data. (The attribute functions can be defined as
udfAttribute1
, udfAttribute2
, ...
udfAttribute9
). When the trackScreenText
setting
is enabled, the retrieved data is parsed to avoid unintended side effects. The logic to
recognize undesired patterns can be overruled using the rewriteRules property.
See the below example:
window.apmrum.rewriteRules = [ { context: 'all', options: 'g',
pattern: '[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-][a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]*@' +
'((\[[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}])|(([a-zA-Z\-0-9]+[.])+[a-zA-Z]{2,}))',
replacement: '*', type: 'all-values' },
{ pattern: "([a-fA-F\._\:-]*[0-9]+){2,}[a-fA-F_\:-]*([/\.])?", replacement: "*$2" } ];
This rewriteRules property contains a list of rewrite rules that are applied sequentially. Each rule has a pattern to look for, and a replacement, to replace things with. It uses the javascript regex logic the browser provides.
In addition, the options can be configured: 'g
' for global and
'i
' for case in-sensitive.
-
'
all-values
' to all values anywhere. -
'
path_elm
', 'param_elm
', 'query_elm
', 'fragment
' on either path, param, query/search or fragment part of the URL. -
'
attr
' on the document-title /output ofudfAttribute
functions.
Adhere to End-user Consent for Cookie Creation
The apmrum
library needs a cookie to track sessions, and allow
performance diagnostics in context of customer sessions.
There are three different ways to provide a session identifier to be used.
- Provide sessionId as apmrum parameter
The
apmrum
object has a property calledsid
. When that property is set, it is used for tracking sessions.This can be helpful to correlate browser data to server-side logs. The apm server-agent does not require this correlation to be able to link both. The session id needs to be generated server-side which generally is not possible for static pages.
- Align creation of OciTrack cookie with consent from end-user
By default, the
apmrum
library will create aOciTrack
session cookie (when thesid
parameter is not set).This behavior can conflict with consent implementation that is intended to request consent before setting any cookie. To be compliant with such an implementation, the
apmrum
library supports a property calledallowCreateCookie
that can be set totrue
if the end-user did consent to cookie creation orfalse
if the end-user did not consent.It's possible to have the value changed to
true
during the session, but setting it tofalse
won't remove the cookie, as the property is only checked when the tracking cookie is about to be created.When the end-user did not consent, the actions of the user are grouped by page (each page / invocation of the library) is getting a unique identifier.
- Cookie definition
The
OciTrack
cookie is a session cookie that is intended to link performance related information to specific sessions for correct reporting on concurrent sessions handled by a particular server. This value is combined with technical events of interest that occur and reported for performance analysis.The
OciTrack
cookie expires when users terminate their browser. This cookie falls into the Performance and Analysis category of cookies.Cookie Properties
Cookie Property Description cookie name The cookie name can be set through apmrum.tracking_cookie
.If a cookie with the same name is accessible, the value from that cookie will be used. The default cookie name is
OciTrack
.value The cookie is created if sid
property does not exist.expires
The expires
property is not set by default.Without the
expires
property, the cookie is considered to be a session cookie and will be removed when the browser closes. If desired, the property can be set by configuringapmrum.tracking_cookie_expires
.httpOnly
Not applicable since the cookie is created from javascript and it's always false. secure
The secure
property is set by default.Secure limits cookie to httpS only.
path
The path
property is set by default, but it can be overridden byapmrum.tracking_cookie_path
domain
The domain
property is not set by default. It can be overridden byapmrum.tracking_cookie_domain
Session Breaks
You can align the duration of the session with the login/logout activity by using
ApmSdk.resetSession()
. For details, see Configure Session Tracking.
End User Tracking Disable
The end-user consent could also indicate no tracking at all. To disable the browser agent, see Disable APM Browser Agent Monitoring.