• EnglishEspañol日本語한국어Português
  • Log inStart now

APM agent security: PHP

The PHP agent default security settings automatically provide security for your APM data to ensure data privacy and to limit the kind of information New Relic receives. You may have business reasons to change these settings.

If you want to restrict the information that New Relic receives, you can enable high-security mode. If high-security mode or the default settings do not work for your business needs, you can apply custom settings.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Default security settings

By default, here is how the New Relic PHP agent handles the following potentially sensitive data:

  • Request parameters: The agent does not capture HTTP request parameters.
  • HTTPS: The agent communicates with New Relic using HTTPS.
  • SQL: The agent sets SQL recording to obfuscated, which removes the potentially sensitive numeric and string literal values.

High-security mode settings

When you enable high-security mode, the default settings are locked so that users cannot change them. In addition:

  • You cannot create custom events.
  • The agent strips exception messages from errors.

Custom security settings


If you customize security settings, it may impact the security of your application.

If you need different security settings than default or high-security mode, you can customize these settings:


Effects on data security



Default: (none)

If you use this to set the name of the audit log file, the agent will log details of messages passed back and forth between the monitored process and the New Relic collector.

You can then evaluate the information that the agent sends to the New Relic collector to see if it includes sensitive information.



Default: false

To enable high-security mode, set this to true and enable high security in New Relic. This restricts the information you can send to New Relic.



Default: (none)

Some proxies default to using HTTP, which is a less secure protocol.



Default: true

By default, you are sending attributes to New Relic. If you do not want to send attributes to New Relic, set this to false.



Default: (none)

If there are specific attribute keys that you do not want to send to New Relic in transaction traces, identify them using newrelic.attributes.exclude. This restricts the information sent to New Relic.

Consider if you want to exclude these potentially sensitive attributes using newrelic.attributes.exclude or if you need the information sent to New Relic:

  • request.headers.*: Removes all request headers.
  • response.headers.*: Removes all response headers.



Default: true

By default, the agent records events sent to the Event API via newrelic_record_custom_event(). If you enable high-security mode, this is automatically set to false.



Default: obfuscated

By default, newrelic.transaction_tracer.record_sql is set to obfuscated, which strips out the numeric and string literals.

  • If you do not want the agent to capture query information, set this to off.
  • If you want the agent to capture all query information in its original form, set this to raw.
  • When you enable high-security mode, this is automatically set to obfuscated.
Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.