High-security mode

Our default APM agent settings provide a high level of security. However, you may need to guarantee that even if the default APM agent settings are overridden to be more permissive, no sensitive data will ever be reported to New Relic by the APM agent. If this is the case, then you'll want to turn on APM high-security mode (also known as enterprise security mode).

For more information about our default security measures, see our security and privacy documentation, or visit the New Relic security website.

Requirements

High-security mode requires Enterprise edition.

High-security mode is a per-account setting, not a per-organization setting. This means that if your organization contains multiple accounts, you must enable this mode for each account.

Have questions about access to this feature? Talk to your New Relic account representative.

Versions

There are two versions of high-security mode. Version 1 is deprecated and is available only if you already have it. If you're enabling high-security mode for the first time, the only option is version 2 (v2). For details about agent support for version 2, see version support.

Enable high-security mode (version 2)

To enable high security, you must update both the local configuration on your server and the remote configuration in the UI.

Before you do this, note that:

Once you enable high security for an account, high security cannot be turned off without assistance from New Relic Support.
This is a per-account setting, meaning that you must set it for each account you want to grant high-security mode.

Setting location	Description
Set in UI	For users on our newer user model (almost all customers): Get the account ID for the account you want to enable. Then use that to go to this URL: `https://one.newrelic.com/admin-portal/apm-agents/hsm?account=YOUR_ACCOUNT_ID`. On that page, you can configure high-security mode. For users on our original user model: Only the account owner can configure this. Go to one.newrelic.com, click the user menu and click on Administration. On that page, select High-security mode. If the agent is configured for high security via the UI but not locally, then the agent connections are rejected, and the agent will shut down. However, this won't shut down your application.
Local, via agent	Enable high-security mode in your agent configuration file. High-security mode is disabled by default, and the exact procedure to enable it varies by agent: Go Java .NET Node.js PHP Python Ruby If the agent is configured for high security locally but not via the UI, then the agent connections will be rejected, and the agent will shut down. This will not shut down your application.

Setting location

Description

Set in UI

For users on our newer user model (almost all customers): Get the account ID for the account you want to enable. Then use that to go to this URL: https://one.newrelic.com/admin-portal/apm-agents/hsm?account=YOUR_ACCOUNT_ID. On that page, you can configure high-security mode.
For users on our original user model: Only the account owner can configure this. Go to one.newrelic.com, click the user menu and click on Administration. On that page, select High-security mode.
If the agent is configured for high security via the UI but not locally, then the agent connections are rejected, and the agent will shut down. However, this won't shut down your application.

Local, via agent

Enable high-security mode in your agent configuration file. High-security mode is disabled by default, and the exact procedure to enable it varies by agent:

Go
Java
.NET
Node.js
PHP
Python
Ruby
If the agent is configured for high security locally but not via the UI, then the agent connections will be rejected, and the agent will shut down. This will not shut down your application.

Results of enabling high-security mode (version 2)

Once enabled, high-security mode (v2) ensures the following for your account:

Feature	Comments
Requires agents to use a secure connection (HTTPS)	High-security mode requires a secure (HTTPS) connection. Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure all data in transit per the latest industry standards.
Prevents HTTP param capture	High-security mode does not allow HTTP params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send HTTP params locally or through server-side configuration, high-security mode will override the configuration to never capture HTTP params.
Prevents message queue param capture	High-security mode does not allow message queue params, which may contain sensitive customer data, to be sent to the New Relic collector. If the agent is configured to send message queue params locally or through server-side configuration, then high-security mode will override the configuration to never capture message queue params.
Prevents raw query statement capture	High-security mode does not allow raw database query statements, which may contain sensitive customer data, to be captured. If the agent is configured to capture raw queries locally or through server-side configuration, then high-security mode will override the configuration to never capture raw queries.
Prevents user attribute capture	High-security mode does not allow attributes set using each agent's API to be captured, as these may contain sensitive customer data. For example, in the Java agent, attributes passed in through the following `NewRelic` agent API calls will be blocked: `NewRelic.addCustomParameter(String key, String value)` `NewRelic.addCustomParameter(String key, Number value)` `NewRelic.setUserId(String name)` `NewRelic.setAccountName(String name)` `NewRelic.setProductName(String name)`
Prevents `noticeError` attribute capture	High-security mode does not allow attributes set using each agent's `noticeError` API call to be captured as these may contain sensitive customer data. For example, in the Java agent, attributes passed in through the following `NewRelic` agent API calls will be blocked: `NewRelic.noticeError(String message, Map<String, String> params)` `NewRelic.noticeError(Throwable throwable, Map<String, String> params)`
Prevents custom events	High-security mode does not allow custom events to be created using the agent API, as these may contain sensitive customer data. For example, in the .NET agent, the API call `RecordCustomEvent` will be blocked.
Prevents in-agent log event forwarding	High-security mode does not allow log events to be forwarded to APM using the `application_logging.forwarding.enabled` configuration option as log messages may contain sensitive customer data.
Prevents deploying Custom Instrumentation via CIE	High-security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high-security mode enabled, you must export the instrumentation and manually import it to your app server.

Version 2 support

Here are details about agent versions that support high-security mode version 2:

Agent	Version 2 support
Go	All versions
Java	3.7 or higher
.NET	3.3 or higher
Node.js	1.7.0 or higher
PHP	4.9 or higher
Python	2.22.0.0 or higher
Ruby	3.9.1 or higher

Results of enabling high-security mode v1 (deprecated)

High-security mode version 1 is deprecated and only available if you enabled it prior to version 2 being available. High-security mode version 1 ensures the following for your account:

Feature	Comments
Requires agents to use a secure connection (HTTPS)	High-security mode requires an encrypted connection (HTTPS). Non-secure connection attempts will be rejected. The latest version of all New Relic agents support HTTPS. If the configuration is not set appropriately, the agent will override the property to ensure that all data in transit is encrypted as per the latest industry standards.
Prevents HTTP param capture	Agents configured to capture HTTP params, which may contain sensitive customer data, are not allowed to connect to New Relic. If the local configuration is set to capture request parameters, then New Relic's collector will reject the connection, and the agent will shut down.
Prevents raw query statement capture	Agents configured to capture raw database query statements, which may contain sensitive customer data, are not allowed to connect to New Relic. If the agent is configured to capture raw queries locally or through server-side configuration, New Relic's collector will reject the connection and the agent will shut down.
Prevents deploying Custom Instrumentation via CIE	High-security mode does not allow deploying custom instrumentation when using the Custom Instrumentation Editor. If you have high-security mode enabled, you must export the instrumentation and manually import it to your app server.

Migrate from version 1 to version 2

These are the main differences between the two versions of high security:

In order to make high security even more secure, high security must be enabled in the New Relic user interface and in the local New Relic configuration file. High security v1 only required high security to be set in the New Relic UI.
User attributes, noticeError attributes, and message queue parameters are turned off with high security in version 2, but not in version 1.

To update from v1 to v2, add high_security: true to your local agent configuration file.