APM agent security: Node.js

The New Relic Node.js agent default security settings automatically provide security for your APM data to ensure data privacy and to limit the kind of information New Relic receives. You may have business reasons to change these settings.

If you want to restrict the information that New Relic receives, you can enable high security mode. If high security mode or the default settings do not work for your business needs, you can apply custom settings.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Default security settings

By default, here is how the New Relic Node.js agent handles the following potentially sensitive data:

  • Request parameters: The agent does not capture HTTP request parameters.
  • HTTPS: The agent communicates with New Relic using HTTPS.
  • SQL: The agent sets SQL recording to off. When set to off, the agent does not capture slow queries and does not include backtraces or SQL in transaction traces.

High security mode settings

When you enable high security mode, the default settings are locked so that users cannot change them. In addition:

  • The agent does not collect message queue parameters.
  • The record_sql configuration setting is changed to obfuscated, which strips out string and numeric literals.

Custom security settings

If you customize security settings, it may impact the security of your application.

If you need different security settings than default or high security mode, you can customize these settings:

Setting Effects on data security

audit_log.enabled

boolean

Default: false

By default, the agent does not log all data sent to New Relic in the agent log file.

If you set this to true, the agent logs the data sent to the New Relic collector in the agent log file. You can then evaluate the information that the agent sends by reviewing the agent log file to see if it includes sensitive information.

high_security

boolean

Default: false

To enable high security mode, set this to true and enable high security in New Relic. This restricts the information you can send to New Relic.

proxy_host

string

Default: (none)

Some proxies default to using HTTP, which is a less secure protocol.

record_sql

string

Default: off

By default, record_sql is set to off. If you enable high security mode, this is automatically changed to obfuscated.

You can change this setting to adjust the information that the agent sends to the New Relic collector.

  • If you do not want the agent to capture slow queries or to include backtraces and SQL in transaction traces, set this to off.
  • If you want the agent to strip out string and numeric literals, set this to obfuscated.
  • If you want the agent to capture all query information in its original form, set this to raw.

For more help

Recommendations for learning more: