This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Real User API Security

Go to solution
Matthias-Versio
Guide

‎23 Aug 2021 09:12 AM

How is the abuse of the Real User Monitoring API secured?
From my point of view, the RUM data could currently be quite easily contaminated by means of external requests.

---
Chief Technology Officer at Versio.io

A Stargarderstr.10, 10437 Berlin, Germany ¬
P +49-30-22198651 ¬
M +49-178-8380495 ¬
E matthias.scholze@versio.io ¬
W www.versio.io ¬
Labels:
0 Kudos
Reply
4 REPLIES 4

Go to solution
andreas_grabner
Dynatrace Guru
Dynatrace Guru

‎23 Aug 2021 04:26 PM

Want to add some additional context as Matthias and I initially discussed this question via email and I asked him to post it here as I didnt know the answer either:

"Which mechanisms exist in the Dynatrace RUM API to prevent any misusage or tampering, e.g: sending bogus data or modifying data that is collected?"

Contact our DevRel team through devrel@dynatrace.com
0 Kudos
Reply

Go to solution
Philipp_Kastner
Dynatrace Pro
Dynatrace Pro

‎24 Aug 2021 11:29 AM

Hi Matthias,

 

thanks for reaching out. We do validate the RUM data. However, if someone simulates valid data it is in theory possible to send bogus/fake data. I believe there isn't much we can do about it for real user monitoring of public pages.
This is a problem also other analytics solutions face.

 

That said, there is always the option to only allow traffic from trusted sources or block suspicious sources on the network/firewall level.

 

Kind regards,

Philipp

Reply

Go to solution
fstekelenburg
DynaMight Pro
DynaMight Pro
In response to Philipp_Kastner

‎03 Dec 2021 09:19 AM

Perhaps, as also suggested in the linked page, the RUM agent could pull a hash token from the server (activegate) and pass it along. And if that hash is based on the environment ID and timestamp, this could be verified upon reception of data?

Kind regards, Frans Stekelenburg                 Certified Dynatrace Associate | measure.works, Dynatrace Partner
0 Kudos
Reply

Go to solution
Matthias-Versio
Guide

‎24 Aug 2021 01:02 PM

Hello Phillip,

 

thank you for your timely feedback.

That's exactly how I thought it would be.

 

Regards

Matthias

---
Chief Technology Officer at Versio.io

A Stargarderstr.10, 10437 Berlin, Germany ¬
P +49-30-22198651 ¬
M +49-178-8380495 ¬
E matthias.scholze@versio.io ¬
W www.versio.io ¬
0 Kudos
Reply
Ask a question

Featured Posts