High security mode

New Relic's default agent settings provide a high level of security. However, you may need to guarantee that even if the default agent settings are overridden to be more permissive, no sensitive data will ever be sent to New Relic. If this is the case, then you will want to turn on high security.

Access to this feature depends on your subscription level.

Account level

High security is an account level feature. If you choose to turn on high security, you must enable high security for all applications reporting to the account. High security must be set on each individual account. Sub-accounts do not automatically inherit the high security setting when it is enabled on the master account.

Currently there are two versions of high security.

Agent Version 2 support
Go All versions
Java 3.7 or higher
.NET 3.3 or higher
Node.js 1.7.0 or higher
PHP 4.9 or higher
Python 2.22.0.0 or higher
Ruby 3.9.1 or higher
Agent SDK 0.12.12 or higher

Enable the current high security mode (v2)

To enable high security, you must update both the local configuration on your server and the remote configuration in the New Relic user interface.

Once you enable high security for an account, high security cannot be turned off without assistance from New Relic Support.

Settings Description
Local

Enable high security mode in your agent configuration file. High security mode is disabled by default, and the exact procedure to enable it varies by agent:

If the agent is configured for high security locally but not in New Relic's collector servers, then the agent connections will be rejected, and the agent will shut down. This will not shut down your application.

Remote

To set high security through the New Relic user interface: Use the following URL, replacing ACCOUNT_ID with your New Relic account ID:

https://rpm.newrelic.com/accounts/ACCOUNT_ID/high_security

If the agent is configured for high security on New Relic's collector servers but not locally, then the agent connections will be rejected and the agent will shut down. This will not shut down your application.

Results of enabling high security v2

Once enabled, high security v2 ensures the following for your account:

Feature Comments
Requires agents to use SSL High security mode requires an SSL connection. Non-SSL connection attempts will be rejected. The latest version of all New Relic agents support SSL. If the configuration is not set appropriately, then agent will override the property to ensure all data is sent using a SSL connection.
Prevents HTTP param capture High security mode does not allow HTTP params, which may contain sensitive customer data, to be sent to the New Relic collector server. If the agent is configured to send HTTP params locally or through server-side configuration, high security mode will override the configuration to never capture HTTP params.
Prevents message queue param capture

High security mode does not allow message queue params, which may contain sensitive customer data, to be sent to the New Relic collector server. If the agent is configured to send message queue params locally or through server-side configuration, then high security mode will override the configuration to never capture message queue params.

Prevents raw query statement capture

High security mode does not allow raw database query statements, which may contain sensitive customer data, to be captured. If the agent is configured to capture raw queries locally or through server-side settings, then high security mode will override the configuration to never capture raw queries.

Prevents user attribute capture

High security mode does not allow attributes set using each agent's API to be captured, as these may contain sensitive customer data.

For example, in the Java agent, attributes passed in through the following NewRelic agent API calls will be blocked:

  • NewRelic.addCustomParameter(String key, String value)
  • NewRelic.addCustomParameter(String key, Number value)
  • NewRelic.setUserName(String name)
  • NewRelic.setAccountName(String name)
  • NewRelic.setProductName(String name)
Prevents noticeError attribute capture

High security mode does not allow attributes set using each agent's noticeError API call to be captured as these may contain sensitive customer data.

For example, in the Java agent, attributes passed in through the following NewRelic agent API calls will be blocked:

  • NewRelic.noticeError(String message, Map<String, String> params)
  • NewRelic.noticeError(Throwable throwable, Map<String, String> params)
Prevents custom events

High security mode does not allow custom events to be created using the agent API, as these may contain sensitive customer data. For example, in the .NET agent, the API call RecordCustomEvent will be blocked.

Prevents deploying Custom Instrumentation via CIE High security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high security mode enabled, you must export the instrumentation and manually import it to your app server.

Enable the first version

The original version of high security only requires you to enable high security through the New Relic user interface. Use following URL, and replace ACCOUNT_ID with your New Relic account ID:

https://rpm.newrelic.com/accounts/ACCOUNT_ID/high_security

Once you enable high security for an account, high security cannot be turned off without assistance from New Relic Support.

Results of enabling high security v1

Once enabled, high security v1 ensures the following for your account:

Feature Comments
Requires agents to use SSL High security mode requires an SSL connection. Non-SSL connection attempts will be rejected. The latest version of all New Relic agents support SSL.
Prevents HTTP param capture Agents configured to capture HTTP params, which may contain sensitive customer data, are not allowed to connect to New Relic. If the local configuration is set to capture request parameters, then New Relic's collector servers will reject the connection, and the agent will shut down.
Prevents raw query statement capture Agents configured to capture raw database query statements, which may contain sensitive customer data, are not allowed to connect to New Relic. If the agent is configured to capture raw queries locally or through server-side settings, New Relic's collector servers will reject the connection and the agent will shut down.
Prevents deploying Custom Instrumentation via CIE High security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high security mode enabled, you must export the instrumentation and manually import it to your app server.

Migrate from version 1 to version 2

These are the main differences between the two versions of high security:

  • In order to make high security even more secure, high security must be enabled in the New Relic user interface and in the local New Relic configuration file. High security v1 only required high security to be set in the New Relic UI.
  • User attributes, noticeError attributes, and message queue parameters are turned off with high security in version 2, but not in version 1.

To update from v1 to v2, add high_security: true to your local configuration file.

For more help

For more information about configuration file settings, refer to your specific agent's documentation.

For the New Relic Synthetics feature that requires a pass phrase to assign jobs to a private minion, see Verified script execution.

Join the discussion about New Relic APM in the New Relic Online Technical Community! The Technical Community is a public platform to discuss and troubleshoot your New Relic toolset.

If you need additional help, get support at support.newrelic.com.