How is the abuse of the Real User Monitoring API secured?
From my point of view, the RUM data could currently be quite easily contaminated by means of external requests.
Solved! Go to Solution.
Want to add some additional context as Matthias and I initially discussed this question via email and I asked him to post it here as I didnt know the answer either:
"Which mechanisms exist in the Dynatrace RUM API to prevent any misusage or tampering, e.g: sending bogus data or modifying data that is collected?"
thanks for reaching out. We do validate the RUM data. However, if someone simulates valid data it is in theory possible to send bogus/fake data. I believe there isn't much we can do about it for real user monitoring of public pages.
This is a problem also other analytics solutions face.
That said, there is always the option to only allow traffic from trusted sources or block suspicious sources on the network/firewall level.
Perhaps, as also suggested in the linked page, the RUM agent could pull a hash token from the server (activegate) and pass it along. And if that hash is based on the environment ID and timestamp, this could be verified upon reception of data?