• /
  • EnglishEspañolFrançais日本語한국어Português
  • ログイン今すぐ開始

Obfuscate browser data

重要

As of browser agent version 1.317.0, obfuscation can also be configured via New Relic platform and NerdGraph for copy/paste, NPM browser installation methods, and APM-injected applications. You can configure obfuscation rules directly in your JavaScript for copy/paste or NPM installations.

While New Relic recommends avoiding sensitive information in the public structure of your application, we also understand that this isn't always possible. You can configure the browser agent to selectively obfuscate data in every payload it sends. This can be useful if your application uses sensitive data in places that the agent captures, such as navigation paths, error messages, and more.

Set up obfuscation rules

You can create obfuscation rules using one of the following methods:

Out-of-the-box obfuscation

When you enable AJAX payload capture, the browser agent includes default obfuscation rules to protect common types of sensitive data. These rules are only created the first time you enable AJAX payload capture. If you disable and re-enable this feature, the default rules will not be recreated:

ヒント

These rules apply to all applications that have AJAX payload capture enabled. You can customize or disable these rules in the New Relic platform or by using NerdGraph. We recommend keeping these rules enabled unless the configuration causes false positives in your specific use case, as payload capture provides important protection for common types of sensitive data.

Obfuscation and user identification

If you use the newrelic.setUserId() API to identify users, be aware that obfuscation rules apply to all data collected by the browser agent, including the enduser.id attribute set by setUserId().

This can create conflicts if you're using email addresses or other PII as user identifiers while also obfuscating that same data type in AJAX payloads.

Example scenario

Suppose you:

  1. Use email addresses as user IDs: newrelic.setUserId('user@example.com')
  2. Configure obfuscation to mask email addresses in AJAX request/response bodies

Your obfuscation rule might look like:

{
regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
replacement: 'EMAIL_REDACTED',
eventFilter: ['AjaxRequest']
}

The problem: Because obfuscation rules apply to all event data (not just the AJAX payload), the enduser.id attribute will also be obfuscated, appearing as EMAIL_REDACTED instead of the actual email.

Solutions

注意

Always test your obfuscation rules thoroughly in a development environment before deploying to production. Use the browser's developer tools network tab to inspect the actual payloads being sent to New Relic.

Copyright © 2026 New Relic株式会社。

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.