https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171101#M3062 <P>Hi Matthias,</P> <P>&nbsp;</P> <P>thanks for reaching out. We do validate the RUM data. However, if someone simulates valid data it is in theory possible to send bogus/fake data. I believe there isn't much we can do about it for real user monitoring of public pages.<BR />This is a problem also&nbsp;<A href="https://security.stackexchange.com/questions/106892/how-does-google-analytics-prevent-fake-data-attacks-against-an-entitys-traffic" target="_blank" rel="noopener">other analytics solutions face</A>.</P> <P>&nbsp;</P> <P>That said, there is always the option to only allow traffic from trusted sources or block suspicious sources on the network/firewall level.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>Philipp</P> Tue, 24 Aug 2021 10:29:42 GMT Philipp_Kastner 2021-08-24T10:29:42Z https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171056#M3059 <P>How is the abuse of the Real User Monitoring API secured?<BR />From my point of view, the RUM data could currently be quite easily contaminated by means of external requests.</P> Mon, 23 Aug 2021 08:12:54 GMT https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171056#M3059 Matthias-Versio 2021-08-23T08:12:54Z https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171076#M3061 <P>Want to add some additional context as Matthias and I initially discussed this question via email and I asked him to post it here as I didnt know the answer either:</P> <P>"Which mechanisms exist in the Dynatrace RUM API to prevent any misusage or tampering, e.g: sending bogus data or modifying data that is collected?"</P> Mon, 23 Aug 2021 15:26:21 GMT https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171076#M3061 andreas_grabner 2021-08-23T15:26:21Z https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171101#M3062 <P>Hi Matthias,</P> <P>&nbsp;</P> <P>thanks for reaching out. We do validate the RUM data. However, if someone simulates valid data it is in theory possible to send bogus/fake data. I believe there isn't much we can do about it for real user monitoring of public pages.<BR />This is a problem also&nbsp;<A href="https://security.stackexchange.com/questions/106892/how-does-google-analytics-prevent-fake-data-attacks-against-an-entitys-traffic" target="_blank" rel="noopener">other analytics solutions face</A>.</P> <P>&nbsp;</P> <P>That said, there is always the option to only allow traffic from trusted sources or block suspicious sources on the network/firewall level.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>Philipp</P> Tue, 24 Aug 2021 10:29:42 GMT https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171101#M3062 Philipp_Kastner 2021-08-24T10:29:42Z https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171107#M3063 <P>Hello Phillip,</P><P>&nbsp;</P><P>thank you for your timely feedback.</P><P>That's exactly how I thought it would be.</P><P>&nbsp;</P><P>Regards</P><P>Matthias</P> Tue, 24 Aug 2021 12:02:48 GMT https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/171107#M3063 Matthias-Versio 2021-08-24T12:02:48Z https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/176899#M3266 <P>Perhaps, as also suggested in the linked page, the RUM agent could pull a hash token from the server (activegate) and pass it along. And if that hash is based on the environment ID and timestamp, this could be verified upon reception of data?</P> Fri, 03 Dec 2021 09:19:35 GMT https://community.dynatrace.com/t5/Real-User-Monitoring/Real-User-API-Security/m-p/176899#M3266 fstekelenburg 2021-12-03T09:19:35Z