As of browser agent version 1.317.0, obfuscation can also be configured via New Relic platform and NerdGraph for copy/paste, NPM browser installation methods, and APM-injected applications. You can configure obfuscation rules directly in your JavaScript for copy/paste or NPM installations.
While New Relic recommends avoiding sensitive information in the public structure of your application, we also understand that this isn't always possible. You can configure the browser agent to selectively obfuscate data in every payload it sends. This can be useful if your application uses sensitive data in places that the agent captures, such as navigation paths, error messages, and more.
Set up obfuscation rules
You can create obfuscation rules using one of the following methods:
Important
As of browser agent version 1.317.0, obfuscation can be configured via New Relic platform and NerdGraph for copy/paste, NPM browser installation methods, and APM-injected applications.
You can create ingest obfuscation rules directly from the New Relic platform to mask sensitive data before it's harvested. These rules apply to all browser events. Rules configured via the New Relic platform or NerdGraph apply to APM-injected applications, copy/paste installations, and NPM installations. However, copy/paste and NPM installations can manually override New Relic platform-configured rules by adding the obfuscate property to their init configuration.
Tip
First time setup: To see the obfuscation rules settings in the New Relic platform, you must first enable AJAX payload capture. Once payload capture is enabled, the obfuscation rules section displays in your Application settings. You can then disable payload capture while keeping your custom obfuscation rules.
In the Original value field, enter a regex pattern to match the sensitive data you want to mask.
In the Replace with field, enter a neutral or replacement value.
From the Choose where to store dropdown, select the types of event attributes you want to apply the obfuscation rule to.
Click Add rule to create.
The obfuscation rule is applied to matching data across all browser events before ingestion.
You can configure the browser agent to selectively obfuscate data in every payload it sends. This is useful if your application uses sensitive data in places the agent captures, such as navigation paths, error messages, and more.
As of browser agent version 1216 and higher, obfuscation rules can be applied to outgoing harvest payloads.
To set up these rules, configure the following browser agent property:
The property init.obfuscate contains an array of selectors and replacements which will be used to modify each harvest before sending.
You'll need to manually edit your JavaScript configuration section and set the obfuscate array to contain your obfuscation conditions.
Recommendations
When configuring this property, we recommend the following:
Use intentional regex patterns to obfuscate only what needs obfuscation.
Excessive obfuscation can have side-effects such as less granularity when grouping data and less ability to digest what the agent captured.
Replace your sensitive data with neutral and generic terms that also indicate what data has been redacted.
Example: /account-id/g --> ACCOUNT_ID
Copy/paste installation
If you're using the copy/paste installation method, add the following configuration to your browser JavaScript configurations before the agent loader:
window.NREUM.init={
...<other init properties>...,
obfuscate:[
{
regex:<RegExp| string>,
replacement:<string>,
eventFilter:[<string>]// Optional: specific event types to apply this rule to
},
...<other obfuscation rules>...
]
}
NPM installation
If you're using the NPM browser installation method, add the following configuration when initializing the browser agent:
newBrowserAgent({
init:{
...<other init properties>...,
obfuscate:[
{
regex:<RegExp| string>,
replacement:<string>,
eventFilter:[<string>]// Optional: specific event types to apply this rule to
},
...<other obfuscation rules>...
]
}
})
Examples: Scope obfuscation to specific event types
By default, obfuscation rules apply to all event types captured by the browser agent. However, you can scope rules to specific event types using the eventFilter array property.
This is particularly useful when capturing AJAX payloads, where you may want to obfuscate sensitive data in request/response bodies without affecting other events.
Tip
If you omit the eventFilter property, the rule applies to all event types, maintaining compatibility with existing configurations.
window.NREUM.init={
...<other init properties>...,
obfuscate:[
{
regex:/user-id/g,
replacement:'USER_ID',
eventFilter:['AjaxRequest']// Optional: only apply to specific event types
},
]
}
newBrowserAgent({
init:{
...<other init properties>...,
obfuscate:[
{
regex:/account-id/g,
replacement:'ACCOUNT_ID',
eventFilter:['AjaxRequest','JavaScriptError']// Optional: apply to multiple event types
When you enable AJAX payload capture, the browser agent includes default obfuscation rules to protect common types of sensitive data. These rules are only created the first time you enable AJAX payload capture. If you disable and re-enable this feature, the default rules will not be recreated:
Tip
These rules apply to all applications that have AJAX payload capture enabled. You can customize or disable these rules in the New Relic platform or by using NerdGraph. We recommend keeping these rules enabled unless the configuration causes false positives in your specific use case, as payload capture provides important protection for common types of sensitive data.
Two regex patterns detect and mask common credit card formats:
Both patterns replace detected credit card numbers with XXXX-XXXX-XXXX-XXXX.
The following regex pattern detects and masks common Social Security numbers with XXX-XX-XXXX:
{
regex:/\b\d{3}-?\d{2}-?\d{4}\b/g,
replacement:'XXX-XX-XXXX',
eventFilter:['AjaxRequest']
}
Obfuscation and user identification
If you use the newrelic.setUserId() API to identify users, be aware that obfuscation rules apply to all data collected by the browser agent, including the enduser.id attribute set by setUserId().
This can create conflicts if you're using email addresses or other PII as user identifiers while also obfuscating that same data type in AJAX payloads.
Example scenario
Suppose you:
Use email addresses as user IDs: newrelic.setUserId('user@example.com')
Configure obfuscation to mask email addresses in AJAX request/response bodies
The problem: Because obfuscation rules apply to all event data (not just the AJAX payload), the enduser.id attribute will also be obfuscated, appearing as EMAIL_REDACTED instead of the actual email.
Solutions
The recommended approach is to use a non-sensitive identifier for setUserId(), such as:
If you must use email addresses as user IDs, create obfuscation rules that target specific JSON paths or attribute names, rather than matching email patterns globally:
{
// More specific: only match emails in known sensitive fields
regex:/("customerEmail"\s*:\s*")[^"]+(@[^"]+")/g,
replacement:'$1EMAIL_REDACTED$2',
eventFilter:['AjaxRequest']
}
This approach requires careful testing to ensure you're catching all sensitive data while avoiding false positives.
Caution
Always test your obfuscation rules thoroughly in a development environment before deploying to production. Use the browser's developer tools network tab to inspect the actual payloads being sent to New Relic.