By default, PHP Agent sends transaction data to the Controller that your organization may classify as privileged information. Though this data is useful for diagnosis and troubleshooting, security considerations may require you to filter certain sensitive information from being displayed on the Controller. You can use the following for the security considerations:
URL filters to exclude sensitive information from a URL in snapshot details.
Data filters to exclude sensitive HTTP cookies.
Edit the PHP configuration file, php.ini
or appdynamics_agent.ini
depending on your environment.
In the PHP configuration file, configure the following settings. If a value in the ini file for any of the following config contains any non-alphanumeric characters, it must be enclosed within double-quotes (") as per the PHP guidelines.
For example:
agent.sensitive_data_filter.configDelimiter = "|" |
For example:
agent.sensitive_data_filter.delimiter = "/" |
‘#’ and ‘;’ cannot be used as a delimiter or configDelimiter because the ini file considers it as a comment. |
For example:
agent.sensitive_data_filter.segment = "2,3" |
NOT_EMPTY|EQUALS|STARTSWITH|ENDSWITH|CONTAINS|REGEX
. PERL standard must be followed if REGEX is used. The value is REQUIRED.For using this correctly, query parameters must not be considered for match-filtering. With an example of the call "https://myapp.example.com/sensitive/data?first_name=abc&last_name=xyz", to specify match-filter as STARTSWITH, it matches a specified string starting with the hostname “https://myapp.example.com” in this example. If the URL contains the port in the hostname, it must be present in the config string. Similarly for ENDSWITH, it will correspond to the last segment leaving out the query parameters, “data” in this case, as query parameters are never reported in the snapshots.
For example:
agent.sensitive_data_filter.matchFilter = "CONTAINS" |
For example:
agent.sensitive_data_filter.matchPattern = "myapp" |
For example:
agent.sensitive_data_filter.paramMatcher = "[a-z]+_name" |
For example, the following configuration splits the URL on the "/" character and masks the second segment and the ParamPattern
in the third segment of the URL. Here, the segmentation and obfuscation apply only to URLs containing "myapp".
agent.sensitive_data_filter.configDelimiter = "|" agent.sensitive_data_filter.delimiter = "/" agent.sensitive_data_filter.segment = "2" agent.sensitive_data_filter.matchFilter = "CONTAINS" agent.sensitive_data_filter.matchPattern = "myapp" agent.sensitive_data_filter.paramMatcher = "[a-z]+_name" |
The exit call to "https://myapp.example.com/sensitive/data?first_name=abc&last_name=xyz" breaks down to three segments: "https://myapp.example.com", "sensitive", and "data?first_name=abc&last_name=xyz". The Controller shows the masked values of the URL and the param-pattern display "https://myapp.example.com/*****/data?first_name=***&last_name=***" in the snapshot details.
If you do not use any values for the query parameters, the Controller does not mask any query parameters in the URL.
Due to the limitations of the PHP configurations, if you want to redact multiple URLs separately, arguments must be written separated by the config delimiter as described below:
agent.sensitive_data_filter.configDelimiter = "|" agent.sensitive_data_filter.delimiter = "/|/" agent.sensitive_data_filter.segment = "1,2,3|1,4" agent.sensitive_data_filter.matchFilter = "CONTAINS|ENDSWITH" agent.sensitive_data_filter.matchPattern = "One|.php" agent.sensitive_data_filter.paramMatcher = "[a-z]+_name|[a-z]+_name" |
Each ‘|’ separated values correspond to an additional URL filter added. For ‘n’ number of separate URL filters, you need to have ‘n’ different ‘I’ configurations correspondingly. These filters work independently on the URLs and will redact based on the configurations specified for each filter. The first matching configuration is used for the redaction.
For a successful redaction, ensure that each configuration contains the same number of configuration segments. |
You can use Cookie filters to configure the agent to obfuscate sensitive information from the URLs in transaction snapshot details.
Edit the PHP configuration file, php.ini
or appdynamics_agent.ini
depending on your environment.
Add sensitive cookie filter element as directives:
AppDynamicsCookieMatchPattern: Specify a regular expression identifying cookies that must be redacted.
For example:
agent.sensitive_data_filter.cookieMatcher = "cookieKey" |
For masking multiple cookies values simultaneously, provide names of all those cookies separated by the config delimiter as a single string as follows:
agent.sensitive_data_filter.cookieMatcher = "PHPSESSID|X-CSRF-TOKEN|cookiekey" |
If the config delimiter is present in the cookie name itself, change it to something else such that it should not occur in the cookie matcher strings.