Skip to content

Managing data security

When running Lightrun agents in your application you can control retrieval of sensitive data in the instrumented code by using:

  • Blocklists - to prevent developers from inserting snapshots inside sensitive classes
  • PII redaction - to prevent sensitive data from appearing in snapshots and logs

Permissions

Only users with ROLE_MANAGER permissions can perform these actions.

Note

For additional security, you can manage users and their roles and audit system use.

Blocklists

Use blocklists to prevent snapshots being inserted in classes that might expose sensitive data. Files and packages that include the patterns you've specified in the Blocklist table are protected and your team won't be able to add snapshots.

You can configure blocklists to include package and class names, file names, and directory paths. You can also add blocklist exceptions for any relevant subclasses in which you want to allow snapshot insertion.

Each time your application is started, the agent's blocklist configuration is downloaded and applied to all future actions. If you modify the blocklist configuration, you must restart the application to activate the modified blocklist.

Info

All users can view blocklists and blocklist exceptions but only managers can create, edit, and delete blocklist and blocklist exception patterns.

Example

Prevent snapshots for com.sales with this pattern:

com.sales

Add the following exception so that snapshots can still be added to com.sales.Admin:

com.users.Admin

To configure a blocklist and blocklist exceptions
  1. Log in to your Lightrun account and from the Config menu select Blocklist. The Blocklist window opens, showing a table of existing blocklist and blocklist exception patterns.
  2. To add a text pattern for a new blocklist or blocklist exception, click the Button to add blocklist or exception button next to Blocklist or Blocklist Exceptions.

    The Add Pattern dialog box opens.

    Add blocklist or exception pattern dialog

  3. Respectively for Blocklist and Blocklist Exceptions, in the Pattern text field, enter a pattern to be blocklisted or allowed as an exception (for example, a class name, file name, or directory path).

  4. In the corresponding Name text field, for each pattern, enter a unique name.
  5. Click OK. The dialog box closes and the Blocklist (or Blocklist Exceptions) table updates to include the newly added patterns.
  6. Restart your application to apply the changes.

PII redaction

Use PII redaction to prevent Lightrun from evaluating snapshots and logging sensitive data.

Example

Specify MasterCard credit card data to be redacted according to the following regex pattern:

\b5[1-5]\d\d([\-\ ]?)(?:\d{4}\1){2}\d{4}\b

To configure PII redaction
  1. Log in to your Lightrun account and go to the Config menu.

  2. Select PII Redaction.

    The Data Redaction window opens with a table of existing patterns.

  3. To add a new pattern for redaction, click the Button to add blocklist or exception button.

    The Add Pattern dialog box opens.


    Add PII pattern dialog

  4. Enter a regular expression to specify the character string pattern to be redacted.

  5. In the Name text field, enter a unique name for the added pattern.
  6. To verify the pattern, in the Test Input text field, enter a test string corresponding to the pattern specified in the previous step.
    Pattern verification is confirmed when the entered test string is highlighted in yellow.
  7. Click Save.
    The dialog box closes and the list of redacted character string patterns updates to include the newly added pattern.
  8. Restart your application to apply the changes.

Last update: May 18, 2022