Security for browser monitoring

Our provides insights into how your application or site behaves when it is loaded in a web browser. Browser only records performance data, as explained in this document. It does not record any data used or stored by the monitored application unless you explicitly configure it to do so.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Reported data

Browser reports many different types of data to help you analyze your website's performance. It only reports page view data, unless you have subscribed to Pro features. You can also enable functionality for AJAX requests, JavaScript errors, and session traces.

For most data types, browser transmits the data securely using HTTPS encryption. The browser agent transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.

Here is a summary of the types of data reported by browser monitoring.

This data is reported once per page view and consists of:

Page load timing data
Name of the server-side app controller that served the page, if available (obfuscated in the page and during transmission)
Additional custom parameters set by the server-side app controller, if available (obfuscated in the page and during transmission)
Additional custom parameters set by the browser agent API, if set prior to page load
This information appears on the Page views page. For data security reasons, browser does not record or collect URL query strings.
Server-side data can only be collected when the host is also instrumented by New Relic and the browser monitoring instrumentation is injected by the agent. For more information about how we collect and present this data, see Instrumentation for page load timing.

When enabled, browser periodically reports AJAX timing data until the user navigates away from or closes the page. (New Relic automatically filters out all AJAX requests that take longer than two minutes.) Data includes:

Hostnames, ports, and paths (but not search/query parameters) of AJAX request URLs
HTTP status code of responses
Byte size of request message bodies
Name of the server-side app controller servicing the AJAX request and server-side timing data (obfuscated in the page and during transmission), when the browser instrumentation is injected by the New Relic agent
Timing data for the AJAX transaction
Timing data for the AJAX callbacks
This information appears on the AJAX page.

When enabled, browser periodically reports data about every error that occurs on the page until the user navigates away from or closes the page. This information appears on the JavaScript errors page.

For each error, the data includes:

Exception class of the error
Error message containing arbitrary text
Stack trace of the error, which may contain function names and URLs of scripts causing the error
Error messages typically do not contain any confidential or sensitive information. However, it is possible for messages to be purposefully constructed with sensitive information. Before enabling JavaScript error reporting, ensure that your website does not expose any sensitive information in error messages.

When enabled, browser periodically reports data on the details of the a single page's life cycle, including user interactions, AJAX loads, and JavaScript errors, until the user navigates away from or closes the page. New Relic automatically stops recording further data after ten minutes. Data includes:

Asset load timing details
User interactions such as scrolling, mousing, and clicking
JavaScript error timing and other JavaScript error information
Triggered Javascript events
Session traces are captured randomly at a fixed rate from among the monitored page views. Session trace information appears on the Session traces page.

If you use browser's single-page app (SPA) monitoring, New Relic reports the following data once per page load or route change.

Browser data for page views, AJAX timing, JavaScript errors, and session traces
Hash fragments associated with SPA route changes
Additional custom parameters added from the SPA API
When SPA monitoring has been enabled, this information appears on the Page views page.
Server-side data can only be collected when the host is also instrumented by New Relic, and the browser monitoring instrumentation is injected by the agent. For more information about how we collect and present this data, see Instrumentation for page load timing.

URL query strings

The browser agent uses the HTTP referer attribute to track page URLs. URLs can sometimes contain potentially sensitive user-entered query data (for example, a user's name). For data security reasons, browser does not record or collect URL query strings.

Visitor's IP address

Browser uses the visitor's IP address to enrich data for additional visitor segmentation. Details such as the ASN and geoID are mapped to browser data from the IP address. For data security reasons, browser does not retain the visitor's IP address for reporting. The IP address is obtained in the HTTP header from the request to the New Relic collector.

New Relic does not retain the visitor's IP address after the attributes have been mapped. The IP address value is overwritten within 24 hours of data being collected.

Browser types

Browser determines the browser type from the User-Agent header and the geographical location based on the browser's IP address. New Relic does not retain the IP address, only the country and region associated with the performance data.

This information appears on the selected app's Geography page. Also, details about specific browser types appear on the selected app's Browsers page.

CDN access

Page load timing requires access to the content delivery network (CDN), where New Relic's utility JavaScript file (nr.js) is hosted. The domain name for the file (js-agent.newrelic.com) remains static, but the number in the path (version) may change periodically.

A script tag is injected by the New Relic agent (or pasted into the webpage for standalone apps) that references the JavaScript on the CDN, which is then loaded by the browser. The loaded JavaScript collects and reports the metrics dynamically to either of the domains bam.nr-data.net or bam-cell.nr-data.net.

Important

If your end users are behind a firewall or proxy and do not have access to the CDN or to New Relic's networks (including bam.nr-data.net and bam-cell.nr-data.net), browser monitoring will not work.

Cookies

Important

For current agents (version 1220 and higher), usage of third party cookies has been deprecated.

Browser monitoring creates cookies in the end user's browser. If the user has cookies disabled, page load timing (sometimes referred to as real user monitoring or RUM) will not be able to track sessions properly. Also, if the user has an older browser that does not support the Navigation Timing Specification API, page load timing will not be able to track response times as accurately.

New Relic's cookies generated by browser agents older than version 995 may not contain the secure attribute. This is because page load timing data transmission in versions before version 995 use HTTP when the page is HTTP, but use HTTPS when the page is HTTPS. All browser agent versions above version 995 will always use the secure flag for cookies and transmit over HTTPS.

JavaScript and AJAX data may contain more sensitive information, so they are always transmitted over HTTPS. Transmission of these cookies using HTTP or access to them from JavaScript is not a significant security risk, because the cookies are not used to make security decisions or allow access to an account. They are used only to collect performance data, with any identifiable data obfuscated.

We now provide the option to disable cookie collection for your application. Please see our browser agent v1169 release notes for more information.

Important

If your site uses P3P, it must be configured to allow these cookies.

JSONP requests

Page load timing metrics are reported to New Relic using a Script GET, also known as a JSONP request. The Script GET returns a value that is subsequently stored in a cookie and used to trigger trace capturing.

Reported data

Page view data

AJAX timing data

JavaScript error data

Session trace data

SPA data

URL query strings

Visitor's IP address

Browser types

CDN access

Important

Cookies

Important

Important

JSONP requests

Security for browser monitoring

Reported data .css-21sua1{background:none;border:none;width:0;padding:0;}

AJAX timing data

JavaScript error data

Session trace data

SPA data

URL query strings

Visitor's IP address

Browser types

CDN access

Important

Cookies

Important

Important

JSONP requests

Reported data