Firewall constraints for RUM

Real User Monitoring (RUM) uses HTTP technologies to send performance data from client browsers to Dynatrace. To do this, the RUM JavaScript is injected into your HTML pages. This code snippet communicates with Dynatrace. However, to fully enable RUM, you must verify that your firewalls, proxies, and web servers are configured properly and allow all required data to pass through.

New beacon protocol format in Dynatrace version 1.219+

Starting with Dynatrace version 1.219, we will provide you with a call-to-action card allowing you to switch all your web applications to the latest beacon format.

All prior versions will reach their end-of-life with Dynatrace version 1.229. If you don’t manage to switch prior to this version, your firewall or security appliance might block a beacon because of the format change. Also, if your OneAgents and RUM JavaScript versions are outdated, actions will be dropped and you won't be able to see any monitoring data for your application.

However, you don’t need to take action if your application was created with Session Replay enabled or if you once activated this feature for your app. In this case, you are already using the new beacon protocol.

Actions required to switch to the latest beacon format:

Prepare your firewall or security appliance to allow the new format in case you apply filtering. The difference between the new query strings and the older ones is that the new strings now follow the proper format with an ampersand & as a separator instead of a semi-colon ;, as was used previously.
If you are still using an unsupported version of OneAgent (version 1.167 or earlier), we recommend that you update your OneAgents immediately. Otherwise, the cookies generated by OneAgent will be detected as invalid.

HTTP requests

For RUM to function fully, the following browser requests must be delivered to Dynatrace:

ruxitagentjs_, the JavaScript tag that's used for auto-injection—the name of the tag may contain additional information, such as active code modules and/or the version of the tag. Agentless RUM requests use the format ruxitagent_.
/rb_<id> and /bf or /bf_<id> are the monitor signals the RUM JavaScript sends back to Dynatrace.
- The monitor uses query parameters such as app, flavor, format, referer, session, srvid, type, visitID, size, zip, va, tt, and ns.
- The POST body contains the payload. The payload is sent with the content type application/octet-stream.

HTTP headers

RUM uses these HTTP headers. All of these must be able to reach Dynatrace.

Request headers

Header	Request	Purpose
`x-dynatrace`	request	Used for transaction stitching in HTTP headers. Set by OneAgent to link web servers. Ensure that network components, such as firewalls and routers, are never configured to remove these headers. Incorrect configuration can potentially lead to broken pure paths. Some network components disable such requests (and deliver HTTP 403 error, which is why it is necessary to configure these components to accept the `x-dynatrace` header.
`x-dynatrace-application`	request	Contains the ID of the RUM application, the cookie domain, and the injection rule (`noop`, `auto`, `before`, or `after`). Also contains the injection pattern when `injectionRule=after` or `injectionRule=before`. Used in case there's some proxy in between a user's browser and the original process that delivers the page.
`x-dynatrace-origin-url`	request	Preserves the original URL of the request in case of URL rewriting.
`x-dtHealthCheck`	request
`X-dynaTrace-RequestState`	request	Tracks the depth of a subpath tree to avoid endless PurePaths.
`x-dtpc`	request	Identifies proper endpoints for beacon transmission; includes session ID for correlation.
`x-dtreferer`	request	Contains the referer of the page for an action and improves the correlation results.
`x-dtc`	request	Contains information for correlation of cross-origin XHRs.
`Cookie`	request	Sets the `dtCookie` cookie in case the HTTP request doesn't contain any.
`X-Ruxit-Forwarded-For`	request	Used to track proxy scenarios by the NGINX code module.
`X-ruxit-Apache-ServerNamePorts`	request	Used by the Apache code module to synchronize service naming with the PHP code module.
`X-ruxit-Disposition`	request	Used by the IIS code module to declutter .NET code module subpaths.
`Accept-Encoding`	request	Discarded by the Apache code module during the fine-tuning of HTML injection behavior.
`Content-Encoding`	request	Discarded during the fine-tuning of HTML injection behavior.
`If-None-Match`	request	Discarded when caching is suppressed.
`If-Not-Modified-Since`	request	Discarded when caching is suppressed.
`If-Match`	request	Modified when caching is suppressed.
`If-Range`	request	Modified when caching is suppressed.
`traceparent`	request	Used for W3C tagging.
`tracecontext`	request	Used for W3C tagging.
`referer`	request	Contains the address of the previous web page from which a link to the currently requested page was followed.
`user-agent`	request	Used for browser and OS detection.

Response headers

Header	Response	Purpose
`X-OneAgent-JS-Injection`	response	Confirms that the RUM JavaScript has been injected to avoid duplicate injection. Has one of the following values: `true`: the injection has been completed. `block`: injection must not be attempted at this time.
`X-ruxit-JS-Agent`	response	Confirms that the RUM JavaScript has been injected to avoid duplicate injection. Has one of the following values: `true`: the injection has been completed. `block`: injection must not be attempted at this time.
`x-dtHealthCheck`	response	Set for responses to special requests. Contains the result of the RUM health check—potential reasons why there is or might be a problem with the injection of the RUM JavaScript. To perform a health check, a page must be requested with the `dtHealthCheck` user agent.
`x-dtAgentId`	response	If the RUM health check is enabled, any involved OneAgent code module adds its ID here. Set for responses to special requests.
`x-dtInjectedServlet`	response	Contains the fully qualified name of the injected servlet or filter.
`Set-Cookie`	response	Sets the session state cookie of the OneAgent.
`ETag`	response	The OneAgent appends a custom string to the original `ETag` response header to track the changes in the application configuration.
`Last-modified`	response	If the `ETag` response header is manipulated, the OneAgent also subtracts 1 second from the original value of this header. Set for responses to special requests.
`Content-Length`	response	Adapted upon HTML injection. Set for responses to special requests.
`Vary`	response	Adapted during HTML injection into compressed responses. Set for responses to special requests.
`Content-Encoding`	response	Adapted during HTML injection into compressed responses.
`Content-Type`	response	Set for responses to special requests.
`Access-Control-Allow-Origin`	response	Set for responses to special requests.
`Cache-Control`	response	Set for responses to special requests.

Cookies

RUM uses the following cookies. All of these must be able to reach Dynatrace. See the Cookies page for more information about how Dynatrace uses cookies.

Cookie	Max size	Purpose
`dtCookie`		Tracks a visit across multiple requests.
`dtLatC`	5 B	Measures server latency for performance monitoring.
`dtPC`	54 B	Required to identify proper endpoints for beacon transmission; includes session ID for correlation.
`dtSa`	max URL length	Intermediate store for page-spanning actions
`rxVisitor`	45B	Visitor ID to correlate sessions
`rxvt`	27B	Session timeout

Mobile RUM

The OneAgent for Mobile uses the x-dynatrace header for the tagging of HTTP requests. In hybrid setups, the dtAdk cookie is used to join hybrid sessions and the dtAdkSettings cookie for syncing settings between OneAgent for Mobile and the RUM JavaScript.