Hide Personally Identifiable Information

You must configure a set of explicit rules to prevent Personally Identifiable Information (PII) from being displayed in your data.

The default Application Performance Monitoring rules hide PII in URLs by recognizing monetary values, bank-account numbers, and dates. However, the default rules only catch obvious PII and are not exhaustive. You must evaluate the default rules and further configure rules to ensure correct reporting in your environment and ensure that PII is not displayed in your data.

Checking PII information

The PII information check is performed on query parameters and parts of the URL. By default, the document title is not captured.

When the trackScreenText setting is enabled, the document title and text related to the element clicked is captured and reported. These could contain sensitive data.

To reduce the impact of capturing undesired data, it is possible to configure attribute functions to capture only desired data. (The attribute functions can be defined as udfAttribute1, udfAttribute2, ... udfAttribute9). When the trackScreenText setting is enabled, the retrieved data is parsed to avoid unintended side effects. The logic to recognize undesired patterns can be overruled using the rewriteRules property. See the below example:

window.apmrum.rewriteRules = [ { context: 'all', options: 'g',
  pattern: '[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-][a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]*@' +
  replacement: '*', type: 'all-values' },
  { pattern: "([a-fA-F\._\:-]*[0-9]+){2,}[a-fA-F_\:-]*([/\.])?", replacement: "*$2" } ];

This rewriteRules property contains a list of rewrite rules that are applied sequentially. Each rule has a pattern to look for, and a replacement, to replace things with. It uses the javascript regex logic the browser provides.

In addition, the options can be configured: 'g' for global and 'i' for case in-sensitive.

The rules can be applied to only specific sets of data by configuring the context:
  • 'all-values' to all values anywhere.

  • 'path_elm', 'param_elm', 'query_elm', 'fragment' on either path, param, query/search or fragment part of the URL.

  • 'attr' on the document-title /output of udfAttribute functions.

Adhere to End-user Consent for Cookie Creation

The apmrum library needs a cookie to track sessions, and allow performance diagnostics in context of customer sessions.

There are three different ways to provide a session identifier to be used.

  • Provide sessionId as apmrum parameter

    The apmrum object has a property called sid. When that property is set, it is used for tracking sessions.

    This can be helpful to correlate browser data to server-side logs. The apm server-agent does not require this correlation to be able to link both. The session id needs to be generated server-side which generally is not possible for static pages.

  • Align creation of OciTrack cookie with consent from end-user

    By default, the apmrum library will create a OciTrack session cookie (when the sid parameter is not set).

    This behavior can conflict with consent implementation that is intended to request consent before setting any cookie. To be compliant with such an implementation, the apmrum library supports a property called allowCreateCookie that can be set to true if the end-user did consent to cookie creation or false if the end-user did not consent.

    It's possible to have the value changed to true during the session, but setting it to false won't remove the cookie, as the property is only checked when the tracking cookie is about to be created.

    When the end-user did not consent, the actions of the user are grouped by page (each page / invocation of the library) is getting a unique identifier.

  • Cookie definition

    The OciTrack cookie is a session cookie that is intended to link performance related information to specific sessions for correct reporting on concurrent sessions handled by a particular server. This value is combined with technical events of interest that occur and reported for performance analysis.

    The OciTrack cookie expires when users terminate their browser. This cookie falls into the Performance and Analysis category of cookies.

    Cookie Properties

    Cookie Property Description
    cookie name The cookie name can be set through apmrum.tracking_cookie.

    If a cookie with the same name is accessible, the value from that cookie will be used. The default cookie name is OciTrack.

    value The cookie is created if sid property does not exist.
    expires The expires property is not set by default.

    Without the expires property, the cookie is considered to be a session cookie and will be removed when the browser closes. If desired, the property can be set by configuring apmrum.tracking_cookie_expires.

    httpOnly Not applicable since the cookie is created from javascript and it's always false.
    secure The secure property is set by default.

    Secure limits cookie to httpS only.

    path The path property is set by default, but it can be overridden by apmrum.tracking_cookie_path
    domain The domain property is not set by default. It can be overridden by apmrum.tracking_cookie_domain

Session Breaks

You can align the duration of the session with the login/logout activity by using ApmSdk.resetSession(). For details, see Configure Session Tracking.

End User Tracking Disable

The end-user consent could also indicate no tracking at all. To disable the browser agent, see Disable APM Browser Agent Monitoring.