Security for New Relic Browser

New Relic Browser provides insights into how your application or site behaves when it is loaded in a web browser. New Relic Browser only collects performance data, as explained in this document. It does not collect any data used or stored by the monitored application unless you explicitly configure it to do so. This document describes Browser's security measures.

Reported data

New Relic Browser reports many different types of data to help you analyze your website's performance. New Relic Browser only reports page view data, unless you have subscribed to Pro features. You can also enable functionality for AJAX requests, JavaScript errors, and session traces.

For most data types, New Relic Browser transmits the data securely using SSL encryption. For more information, see Data transmission.

The Browser agent transmits data to New Relic's data collection servers via the domain bam.nr-data.net.

Here is a summary of the types of data reported by New Relic Browser.

Page view data

This data is reported once per page view and consists of:

  • Page load timing data
  • Name of the server-side app controller that served the page, if available (obfuscated in the page and during transmission)
  • Additional custom parameters set by the server-side app controller, if available (obfuscated in the page and during transmission)
  • Additional custom parameters set by the Browser agent API, if set prior to page load

This information appears on the Page views page.

For data security reasons, New Relic Browser does not record or collect URL query strings.

Server-side data can only be collected when the host is also instrumented by New Relic, and the browser monitoring instrumentation is injected by the agent. For more information about how New Relic collects and presents this data, see Instrumentation for page load timing.

AJAX timing data

When enabled, New Relic Browser periodically reports AJAX timing data until the user navigates away from or closes the page. (New Relic automatically filters out all AJAX requests that take longer than two minutes.) Data includes:

  • Hostnames, ports, and paths (but not search/query parameters) of AJAX request URLs
  • HTTP status code of responses
  • Byte size of request message bodies
  • Name of the server-side app controller servicing the AJAX request and server-side timing data (obfuscated in the page and during transmission), when the browser instrumentation is injected by the New Relic agent
  • Timing data for the AJAX transaction
  • Timing data for the AJAX callbacks

This information appears on the AJAX page.

JavaScript error data

When enabled, New Relic Browser periodically reports data about every error that occurs on the page until the user navigates away from or closes the page. This information appears on the JavaScript errors page.

For each error, the data includes:

  • Exception class of the error
  • Error message containing arbitrary text
  • Stack trace of the error, which may contain function names and URLs of scripts causing the error

Error messages typically do not contain any confidential or sensitive information. However, it is possible for messages to be purposefully constructed with sensitive information. Before enabling JavaScript error reporting, ensure that your website does not expose any sensitive information in error messages.

Session trace data

When enabled, New Relic Browser periodically reports data on the details of the a single page's life cycle, including user interactions, AJAX loads, and JavaScript errors, until the user navigates away from or closes the page. New Relic automatically stops recording further data after ten minutes. Data includes:

  • Asset load timing details
  • User interactions such as scrolling, mousing, and clicking
  • JavaScript error timing and other JavaScript error information
  • Triggered Javascript events

Session traces are captured randomly at a fixed rate from among the monitored page views. Session trace information appears on the Session traces page.

SPA data

In addition to the data above, for customers using New Relic single-page application (SPA) monitoring, this data is reported once per page load or route change:

  • Hash fragments associated with route changes
  • Additional custom parameters added via the SPA API

When SPA monitoring has been enabled, this information appears on the Page views page.

As is the case for page view timing data, server-side data can only be collected when the host is also instrumented by New Relic, and the browser monitoring instrumentation is injected by the agent. For more information about how New Relic collects and presents this data, see Instrumentation for page load timing.

URL query strings

The Browser agent uses the HTTP referer attribute to track page URLs. URLs can sometimes contain potentially sensitive user-entered query data (for example, a user's name). For data security reasons, Browser does not record or collect URL query strings.

Browser types

New Relic Browser determines the browser type from the User-Agent header and the geographical location based on the browser's IP address. New Relic does not retain the IP address, only the country and region associated with the performance data.

This information appears on the selected app's Geography page. Also, details about specific browser types appear on the selected app's Browsers page.

Browser trace details

If New Relic captures a browser trace, it also includes the city associated with the IP address (if any). Browser trace details appear on the Page views page.

Browser traces are replaced by browser session traces if using Browser Pro, to provide a more detailed timeline of the load and interaction events during a webpage's life cycle.

CDN access

Page load timing requires access to the content delivery network (CDN), where New Relic's utility JavaScript file (nr.js) is hosted. The domain name for the file (js-agent.newrelic.com) remains static, but the number in the path (version) may change periodically.

A script tag is injected by the New Relic agent (or pasted into the webpage for standalone apps) that references the JavaScript on the CDN, which is then loaded by the browser. The loaded JavaScript collects and reports the metrics dynamically to the domain bam.nr-data.net.

If your end users are behind a firewall or proxy and do not have access to the CDN or to New Relic's networks (including bam.nr-data.net), New Relic Browser will not work. For more information about host locations and IP addresses for sending data to New Relic, see Networks.

Cookies

New Relic Browser creates cookies in the end user's browser. If the user has cookies disabled, page load timing (sometimes referred to as real user monitoring or RUM) will not be able to track sessions properly. Also, if the user has an older browser that does not support the Navigation Timing Specification API, page load timing will not be able to track response times as accurately.

New Relic's cookies for browser monitoring do not contain the secure attribute. This is because page load timing data is sent over HTTP when the page is HTTP, but over HTTPS when the page is HTTPS. For more information, see Data transmission.

JavaScript and AJAX data may contain more sensitive information, so they are always transmitted over HTTPS. Transmission of these cookies via HTTP or access to them from JavaScript is not a significant security risk, because the cookies are not used to make security decisions or allow access to an account. They are used only to collect performance data, with any identifiable data obfuscated.

If the site uses P3P, it must be configured to allow these cookies.

JSONP requests

Page load timing metrics are reported to New Relic using a Script GET, also known as a JSONP request. The Script GET returns a value that is subsequently stored in a cookie and used to trigger trace capturing.

For more help

Additional documentation resources include:

Discuss Browser monitoring in the New Relic Online Technical Community! Troubleshoot and ask questions, or discuss JavaScript error reporting or AJAX timing in detail.

If you need additional help, get support at support.newrelic.com.