cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Real User API Security

How is the abuse of the Real User Monitoring API secured?
From my point of view, the RUM data could currently be quite easily contaminated by means of external requests.

---
Chief Technology Officer at Versio.io

A Stargarderstr.10, 10437 Berlin, Germany ¬
P +49-30-22198651 ¬
M +49-178-8380495 ¬
E matthias.scholze@versio.io ¬
W www.versio.io ¬
4 REPLIES 4

andreas_grabner
Dynatrace Guru
Dynatrace Guru

Want to add some additional context as Matthias and I initially discussed this question via email and I asked him to post it here as I didnt know the answer either:

"Which mechanisms exist in the Dynatrace RUM API to prevent any misusage or tampering, e.g: sending bogus data or modifying data that is collected?"

Philipp_Kastner
Dynatrace Pro
Dynatrace Pro

Hi Matthias,

 

thanks for reaching out. We do validate the RUM data. However, if someone simulates valid data it is in theory possible to send bogus/fake data. I believe there isn't much we can do about it for real user monitoring of public pages.
This is a problem also other analytics solutions face.

 

That said, there is always the option to only allow traffic from trusted sources or block suspicious sources on the network/firewall level.

 

Kind regards,

Philipp

Perhaps, as also suggested in the linked page, the RUM agent could pull a hash token from the server (activegate) and pass it along. And if that hash is based on the environment ID and timestamp, this could be verified upon reception of data?

Hello Phillip,

 

thank you for your timely feedback.

That's exactly how I thought it would be.

 

Regards

Matthias

---
Chief Technology Officer at Versio.io

A Stargarderstr.10, 10437 Berlin, Germany ¬
P +49-30-22198651 ¬
M +49-178-8380495 ¬
E matthias.scholze@versio.io ¬
W www.versio.io ¬