APM agent security: Python

The Python agent default security settings automatically provide security for your data to ensure data privacy and to limit the kind of information we ingest. You may have business reasons to change these settings.

If you want to restrict the information that we ingest you can enable high security mode. If high security mode or the default settings do not work for your business needs, you can apply custom settings.

For more information about security measures, see our security and privacy documentation, or visit the New Relic security website.

Default security settings

By default, here is how the Python agent handles the following potentially sensitive data:

  • Request parameters: The agent does not capture HTTP request parameters.
  • SQL: The agent sets SQL recording to obfuscated, which removes the potentially sensitive numeric and string literal values.

High security mode settings

When you enable high security mode, the default settings are locked so that users cannot change them. In addition:

Custom security settings

If you customize security settings, it may impact the security of your application.

If you need different security settings than default or high security mode, you can customize these settings:

Some of these settings can be changed using environment variables. See Python agent environment variables for the complete list.

Setting Effects on data security

audit_log_file

string

Default: (none)

If you use this to set the name of the audit log file, the agent will log details of messages passed back and forth between the monitored process and the data collector.

You can then evaluate the information that the agent sends to the collector to see if it includes sensitive information.

high_security

boolean

Default: false

To enable high security mode, set this to true and enable high security. This restricts the information you can send.

proxy_host

string

Default: (none)

Some proxies default to using HTTP, which is a less secure protocol.

attributes.enabled

boolean

Default: true

By default, you are sending attributes. If you do not want to send attributes, set this to false.

attributes.exclude

string

Default: (none)

If there are specific attribute keys that you do not want to send in transaction traces, identify them using attributes.exclude. This restricts the information sent.

Consider if you want to exclude these potentially sensitive attributes using attributes.exclude or if you need the information sent:

  • request.headers.*: Removes all request headers.

    (Note that HTTP headers that contain sensitive data such as cookie and authorization are never collected.)

  • response.headers.*: Removes all response headers.

custom_insights_events.enabled

boolean

Default: true

By default, the agent records events sent to the Insights custom events API via record_custom_event(). If you enable high security mode, this is automatically set to false.

transaction_tracer.record_sql

string

Default: obfuscated

By default, transaction_tracer.record_sql is set to obfuscated, which strips out the numeric and string literals.

  • If you do not want the agent to capture query information, set this to off.
  • If you want the agent to capture all query information in its original form, set this to raw.
  • When you enable high security mode, this is automatically set to obfuscated.

strip_exception_messages.enabled

boolean

Default: false

If you enable high security mode, this is automatically set to true. If you are not using high security mode but want to strip messages from all exceptions except those in your allow list, set this to true.

For more help

If you need more help, check out these support and learning resources: