Network Request Content Collection
Privacy Considerations for Network Request Content Collection
Network request content collection is a key feature of Tingyun RUM (Real User Monitoring), which helps developers understand and analyze application performance and user experience. However, we fully understand that network request content may contain sensitive information such as user personal data, authentication credentials, and business data. Therefore, we have designed a series of privacy protection mechanisms to ensure that sensitive information is properly protected during the collection process.
SDK Design Principles
Tingyun RUM SDK adheres to the following design principles for network request content collection:
-
Opt-in Collection: By default, the SDK only collects basic network request information (such as URL, status code, and time consumption) and does not collect request/response headers or bodies unless explicitly enabled by developers.
-
Granular Control: Developers can configure which parts of network requests to collect (request headers, request body, response headers, response body) based on their specific needs.
-
Whitelist/Blacklist Mechanism: Developers can configure URL whitelist/blacklist to precisely control which network requests' content should be collected.
-
Data Minimization: Even when collection is enabled, the SDK implements size limits to avoid collecting excessive data.
-
Privacy by Design: The SDK provides built-in privacy protection configurations to automatically filter out sensitive information.
Collection Switch Control
Tingyun RUM SDK provides the following collection switch controls:
| Platform | Configuration Method | Default Setting |
|---|---|---|
| Android | TingyunRumConfig.Builder.setEnableHttpBody(boolean enable) | Disabled |
| iOS | TRCConfig.enableHttpBody | Disabled |
| Web | enableHttpBody | Disabled |
When the switch is disabled, the SDK will not collect any request/response headers or bodies.
Out-of-the-Box Privacy Configuration
Even when collection is enabled, Tingyun RUM SDK implements the following privacy protection measures by default:
Sensitive Headers Not Recorded
The following headers are considered sensitive and will not be recorded by default:
AuthorizationX-Auth-TokenX-Auth-PasswordCookieSet-Cookie- Other headers containing keywords like "token", "auth", "key", "secret", "credential", "password"
Privacy Control Features by Platform
Android
| Feature | Configuration Method | Description |
|---|---|---|
| Network Request URL Whitelist | TingyunRumConfig.Builder.setHttpBodyCollectUrls(List<String> urls) | Only collect content for URLs in the whitelist |
| Network Request URL Blacklist | TingyunRumConfig.Builder.setHttpBodyIgnoreUrls(List<String> urls) | Do not collect content for URLs in the blacklist |
| Request Header Collection | TingyunRumConfig.Builder.setEnableHttpRequestHeader(boolean enable) | Enable/disable request header collection |
| Request Body Collection | TingyunRumConfig.Builder.setEnableHttpRequestBody(boolean enable) | Enable/disable request body collection |
| Response Header Collection | TingyunRumConfig.Builder.setEnableHttpResponseHeader(boolean enable) | Enable/disable response header collection |
| Response Body Collection | TingyunRumConfig.Builder.setEnableHttpResponseBody(boolean enable) | Enable/disable response body collection |
| JSONPath Collection | TingyunRumConfig.Builder.setHttpBodyJsonPath(Map<String, List<String>> jsonPathMap) | Collect specific fields from JSON request/response bodies |
iOS
| Feature | Configuration Method | Description |
|---|---|---|
| Network Request URL Whitelist | TRCConfig.httpBodyCollectUrls | Only collect content for URLs in the whitelist |
| Network Request URL Blacklist | TRCConfig.httpBodyIgnoreUrls | Do not collect content for URLs in the blacklist |
| Request Header Collection | TRCConfig.enableHttpRequestHeader | Enable/disable request header collection |
| Request Body Collection | TRCConfig.enableHttpRequestBody | Enable/disable request body collection |
| Response Header Collection | TRCConfig.enableHttpResponseHeader | Enable/disable response header collection |
| Response Body Collection | TRCConfig.enableHttpResponseBody | Enable/disable response body collection |
| JSONPath Collection | TRCConfig.httpBodyJsonPath | Collect specific fields from JSON request/response bodies |
Web
| Feature | Configuration Method | Description |
|---|---|---|
| Network Request URL Whitelist | httpBodyCollectUrls | Only collect content for URLs in the whitelist |
| Network Request URL Blacklist | httpBodyIgnoreUrls | Do not collect content for URLs in the blacklist |
| Request Header Collection | enableHttpRequestHeader | Enable/disable request header collection |
| Request Body Collection | enableHttpRequestBody | Enable/disable request body collection |
| Response Header Collection | enableHttpResponseHeader | Enable/disable response header collection |
| Response Body Collection | enableHttpResponseBody | Enable/disable response body collection |
| JSONPath Collection | Not supported | Not supported in Web SDK |
JSONPath Collection Support
For Android and iOS platforms, Tingyun RUM SDK supports JSONPath-based collection, which allows developers to collect only specific fields from JSON request/response bodies. This feature helps implement more precise privacy protection by collecting only the necessary data fields while excluding sensitive information.
Example configuration (Android):
Map<String, List<String>> jsonPathMap = new HashMap<>();
List<String> paths = new ArrayList<>();
paths.add("$.data.items[*].id"); // Collect only item IDs from the response
paths.add("$.data.total"); // Collect total count from the response
jsonPathMap.put("https://api.example.com/items", paths);
TingyunRumConfig.Builder builder = new TingyunRumConfig.Builder();
builder.setHttpBodyJsonPath(jsonPathMap);
With the above configuration, when a request is made to "https://api.example.com/items" and the response is a JSON object, only the specified fields (item IDs and total count) will be collected, while other potentially sensitive information in the response will be excluded.