• EnglishEspañol日本語한국어Português
  • Log inStart now

Security for browser monitoring

Our provides insights into how your application or site behaves when it is loaded in a web browser. Browser only records performance data, as explained in this document. It does not record any data used or stored by the monitored application unless you explicitly configure it to do so.

For more information about New Relic's security measures, see our security and privacy documentation, or visit the New Relic security website.

Reported data

Browser reports many different types of data to help you analyze your website's performance. It only reports page view data, unless you have subscribed to Pro features. You can also enable functionality for AJAX requests, JavaScript errors, and session traces.

For most data types, browser transmits the data securely using HTTPS encryption. The browser agent transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.

Here is a summary of the types of data reported by browser monitoring.

URL query strings

The browser agent uses the HTTP referer attribute to track page URLs. URLs can sometimes contain potentially sensitive user-entered query data (for example, a user's name). For data security reasons, browser does not record or collect URL query strings.

Visitor's IP address

Browser uses the visitor's IP address to enrich data for additional visitor segmentation. Details such as the ASN and geoID are mapped to browser data from the IP address. For data security reasons, browser does not retain the visitor's IP address for reporting. The IP address is obtained in the HTTP header from the request to the New Relic collector.

New Relic does not retain the visitor's IP address after the attributes have been mapped. The IP address value is overwritten within 24 hours of data being collected.

Browser types

Browser determines the browser type from the User-Agent header and the geographical location based on the browser's IP address. New Relic does not retain the IP address, only the country and region associated with the performance data.

This information appears on the selected app's Geography page. Also, details about specific browser types appear on the selected app's Browsers page.

CDN access

Page load timing requires access to the content delivery network (CDN), where New Relic's utility JavaScript file (nr.js) is hosted. The domain name for the file (js-agent.newrelic.com) remains static, but the number in the path (version) may change periodically.

A script tag is injected by the New Relic agent (or pasted into the webpage for standalone apps) that references the JavaScript on the CDN, which is then loaded by the browser. The loaded JavaScript collects and reports the metrics dynamically to either of the domains bam.nr-data.net or bam-cell.nr-data.net.


If your end users are behind a firewall or proxy and do not have access to the CDN or to New Relic's networks (including bam.nr-data.net and bam-cell.nr-data.net), browser monitoring will not work.



For current agents (version 1217 and higher), usage of cookies has been deprecated.

Browser monitoring creates cookies in the end user's browser. If the user has cookies disabled, page load timing (sometimes referred to as real user monitoring or RUM) will not be able to track sessions properly. Also, if the user has an older browser that does not support the Navigation Timing Specification API, page load timing will not be able to track response times as accurately.

New Relic's cookies generated by browser agents older than version 995 may not contain the secure attribute. This is because page load timing data transmission in versions before version 995 use HTTP when the page is HTTP, but use HTTPS when the page is HTTPS. All browser agent versions above version 995 will always use the secure flag for cookies and transmit over HTTPS.

JavaScript and AJAX data may contain more sensitive information, so they are always transmitted over HTTPS. Transmission of these cookies using HTTP or access to them from JavaScript is not a significant security risk, because the cookies are not used to make security decisions or allow access to an account. They are used only to collect performance data, with any identifiable data obfuscated.

For customers subject to special guidelines for cookie collection, such as those under the EU GDPR/PECR ICO Guidelines, we now provide the option to disable cookie collection for your application. Please see our browser agent v1169 release notes for more information.


If your site uses P3P, it must be configured to allow these cookies.

JSONP requests

Page load timing metrics are reported to New Relic using a Script GET, also known as a JSONP request. The Script GET returns a value that is subsequently stored in a cookie and used to trigger trace capturing.

Copyright © 2024 New Relic Inc.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.