APM agent security: Java

New Relic's default and high security mode settings automatically provide a high level of security to ensure data privacy and to limit the types of information New Relic receives. You may have business reasons to change these settings to be more permissive or more limited.

Default security settings

By default, here is how the New Relic Java agent handles the following potentially sensitive data::

  • Request parameters: The agent does not capture HTTP request parameters.
  • SSL: The agent communicates with New Relic using HTTPS.
  • SQL: The agent sets SQL recording to obfuscated, which removes the potentially sensitive numeric and string literal values.

High security mode settings

If you are concerned about protecting sensitive data that should never be sent to New Relic, enable high security mode.

When the agent is in high security mode, default settings are locked so that users cannot change them. In addition:

Custom security configurations

If high security mode or the default settings do not work for your business needs, you can can customize configurations to change which information is sent to New Relic.

If you customize configurations, it may impact the security of your application.

Use any of these options to customize settings that affect security:

Property Effects on data security

audit_mode

boolean

Default: false

By default, the Java agent does not log all data sent to New Relic in the agent log file.

If you set this to true, the agent logs data sent to the New Relic collector in the agent log file. You can then evaluate the information that the agent sends by reviewing the agent log file to see if it includes sensitive information.

high_security

boolean

Default: false

To enable high security mode, set this to true and enable high security in New Relic. This restricts the information you can send to New Relic.

proxy_host

string

Default: (none)

Some proxies default to using HTTP, which is a less secure protocol.

ssl

boolean

Default: true

By default, the agent communicates with New Relic over HTTPS for data security. If you change this to false, HTTP may be used, which is a less secure protocol.

attributes.enabled

boolean

Default: true

Default for the Custom Instrumentation Editor: false

By default, you are sending attributes to New Relic, except for methods instrumented using the Custom Instrumentation Editor. If you do not want to send attributes to New Relic, set this to false.

attributes.exclude

string

Default: (none)

If there are specific attribute keys that you do not want to send to New Relic in transaction traces, identify them using attributes.exclude. This restricts the information sent to New Relic.

Consider if you want to exclude these potentially sensitive attributes using attributes.exclude or if you need the information sent to New Relic:

  • request.headers.*: Removes all request headers.

    (Note that HTTP headers that contain sensitive data such as cookie and authorization are never collected.)

  • response.headers.*: Removes all response headers.
  • request_uri: Removes the path for the transaction's incoming request.

log_sql

boolean

Default: false

By default, you are sending queries to New Relic using record_sql. If you want to log queries in the agent log file as well as send them to New Relic, set this to true.

record_sql

string

Default: obfuscated

By default, record_sql is set to obfuscated, which strips out the numeric and string literals.

  • If you do not want the agent to capture query information, set this to off.
  • If you want the agent to capture all query information in its original form, set this to raw.
  • When you enable high security mode, this is automatically set to obfuscated.

strip_exception_messages

boolean

Default: false

By default, this is set to false, which means that the agent sends messages from all exceptions to the New Relic collector. If you enable high security mode, this is automatically changed to true, and the agent strips the messages from exceptions.

If you are not using high security mode but still want to strip messages from all exceptions except those in the whitelist, set this to true.

For more help

Recommendations for learning more: