API-Proxy Trail Indexing
After session recording is enabled for an API target, the resulting session recording can be accessed in the following ways:
- Downloading the trail log file: requires the connections-trail permission.
- Indexing the trail and searching the index: requires the connections-view permission.
The trail log shows the full HTTP protocol data stream; the trail index contains only the redacted HTTP request / response header data, along with other non-sensitive request metadata. PrivX uses a built-in list of safe HTTP header keys. These keys are listed later in this guide.
You can specify the safe/unsafe HTTP header keys on Administration→Settings→Trail Index, under Api-Proxy Trail Indexing.
- Safe keys are added to the built-in safe HTTP header keys
- Unsafe keys are removed from this set and the resulting set is used for indexing API-Proxy trails.
info
Changes to safe/unsafe HTTP header keys only affect subsequently-indexed trails. Changing the safe/unsafe HTTP header keys does not affect searches into existing trails.
You can search API-Proxy trail indices under Monitoring→Connections. Searching matches keywords to the HTTP request URL and header fields, and HTTP response status line and header fields. Matches are returned as request-response pairs along with the metadata.
Default Safe HTTP Header Keys
HTTP Header Key |
|---|
| Accept |
| Accept-Additions |
| Accept-CH |
| Accept-Charset |
| Accept-Datetime |
| Accept-Encoding |
| Accept-Features |
| Accept-Language |
| Accept-Patch |
| Accept-Post |
| Accept-Query |
| Accept-Ranges |
| Accept-Signature |
| Access-Control |
| Access-Control-Allow-Credentials |
| Access-Control-Allow-Headers |
| Access-Control-Allow-Methods |
| Access-Control-Allow-Origin |
| Access-Control-Expose-Headers |
| Access-Control-Max-Age |
| Access-Control-Request-Headers |
| Access-Control-Request-Method |
| Activate-Storage-Access |
| Age |
| A-IM |
| Allow |
| ALPN |
| Alternates |
| Alt-Svc |
| Alt-Used |
| AMP-Cache-Transform |
| Apply-To-Redirect-Ref |
| Attribution-Reporting-Eligible |
| Attribution-Reporting-Register-Source |
| Attribution-Reporting-Register-Trigger |
| Audit-Id |
| Authentication-Control |
| Authentication-Info |
| Available-Dictionary |
| Cache-Control |
| Cache-Group-Invalidation |
| Cache-Groups |
| Cache-Status |
| CalDAV-Timezones |
| Cal-Managed-ID |
| Capsule-Protocol |
| CDN-Cache-Control |
| CDN-Loop |
| Cert-Not-After |
| Cert-Not-Before |
| C-Ext |
| Clear-Site-Data |
| Client-Cert |
| Client-Cert-Chain |
| Close |
| C-Man |
| CMCD-Object |
| CMCD-Request |
| CMCD-Session |
| CMCD-Status |
| CMSD-Dynamic |
| CMSD-Static |
| Concealed-Auth-Export |
| Configuration-Context |
| Connection |
| Content-Base |
| Content-Digest |
| Content-Disposition |
| Content-DPR |
| Content-Encoding |
| Content-ID |
| Content-Language |
| Content-Length |
| Content-Location |
| Content-MD5 |
| Content-Range |
| Content-Script-Type |
| Content-Security-Policy |
| Content-Security-Policy-Report-Only |
| Content-Style-Type |
| Content-Type |
| Content-Version |
| Cookie |
| Cookie2 |
| C-Opt |
| C-PEP |
| C-PEP-Info |
| Critical-CH |
| Cross-Origin-Embedder-Policy |
| Cross-Origin-Embedder-Policy-Report-Only |
| Cross-Origin-Opener-Policy |
| Cross-Origin-Opener-Policy-Report-Only |
| Cross-Origin-Resource-Policy |
| CTA-Common-Access-Token |
| DASL |
| Date |
| DAV |
| Default-Style |
| Delta-Base |
| Deprecation |
| Depth |
| Derived-From |
| Destination |
| Detached-JWS |
| Device-Memory |
| Dictionary-ID |
| Differential-ID |
| Digest |
| DNT |
| Downlink |
| DPoP |
| DPoP-Nonce |
| DPR |
| Early-Data |
| ECT |
| EDIINT-Features |
| ETag |
| Expect |
| Expect-CT |
| Expires |
| Ext |
| Forwarded |
| From |
| GetProfile |
| Hobareg |
| Host |
| HTTP2-Settings |
| Idempotency-Key |
| If |
| If-Match |
| If-Modified-Since |
| If-None-Match |
| If-Range |
| If-Schedule-Tag-Match |
| If-Unmodified-Since |
| IM |
| Include-Referred-Token-Binding-ID |
| Integrity-Policy |
| Integrity-Policy-Report-Only |
| Isolation |
| Keep-Alive |
| Kubectl-Command |
| Kubectl-Session |
| Label |
| Last-Event-ID |
| Last-Modified |
| Link |
| Link-Template |
| Location |
| Lock-Token |
| Man |
| Max-Forwards |
| Memento-Datetime |
| Meter |
| Method-Check |
| Method-Check-Expires |
| MIME-Version |
| Negotiate |
| NEL |
| No-Vary-Search |
| Observe-Browsing-Topics |
| OData-EntityId |
| OData-Isolation |
| OData-MaxVersion |
| OData-Version |
| Opt |
| Optional-WWW-Authenticate |
| Ordering-Type |
| Origin |
| Origin-Agent-Cluster |
| OSCORE |
| OSLC-Core-Version |
| Overwrite |
| P3P |
| PEP |
| PEP-Info |
| Permissions-Policy |
| PICS-Label |
| Ping-From |
| Ping-To |
| Position |
| Pragma |
| Prefer |
| Preference-Applied |
| Priority |
| ProfileObject |
| Protocol |
| Protocol-Info |
| Protocol-Query |
| Protocol-Request |
| Proxy-Authenticate |
| Proxy-Authentication-Info |
| Proxy-Features |
| Proxy-Instruction |
| Proxy-Status |
| Public |
| Public-Key-Pins |
| Public-Key-Pins-Report-Only |
| Range |
| Redirect-Ref |
| Referer |
| Referer-Root |
| Referrer-Policy |
| Refresh |
| Repeatability-Client-ID |
| Repeatability-First-Sent |
| Repeatability-Request-ID |
| Repeatability-Result |
| Replay-Nonce |
| Reporting-Endpoints |
| Report-To |
| Repr-Digest |
| Retry-After |
| RTT |
| Safe |
| Save-Data |
| Schedule-Reply |
| Schedule-Tag |
| Sec-Browsing-Topics |
| Sec-CH-Prefers-Color-Scheme |
| Sec-CH-Prefers-Reduced-Motion |
| Sec-CH-Prefers-Reduced-Transparency |
| Sec-CH-UA |
| Sec-CH-UA-Arch |
| Sec-CH-UA-Bitness |
| Sec-CH-UA-Form-Factors |
| Sec-CH-UA-Full-Version |
| Sec-CH-UA-Full-Version-List |
| Sec-CH-UA-Mobile |
| Sec-CH-UA-Model |
| Sec-CH-UA-Platform |
| Sec-CH-UA-Platform-Version |
| Sec-CH-UA-WoW64 |
| Sec-Fetch-Dest |
| Sec-Fetch-Mode |
| Sec-Fetch-Site |
| Sec-Fetch-Storage-Access |
| Sec-Fetch-User |
| Sec-GPC |
| Sec-Purpose |
| Sec-Speculation-Tags |
| Security-Scheme |
| Sec-WebSocket-Extensions |
| Sec-WebSocket-Protocol |
| Sec-WebSocket-Version |
| Server |
| Server-Timing |
| Service-Worker |
| Service-Worker-Allowed |
| Service-Worker-Navigation-Preload |
| Set-Cookie |
| Set-Cookie2 |
| Set-Login |
| SetProfile |
| Set-Txn |
| Signature |
| Signature-Input |
| SLUG |
| SoapAction |
| SourceMap |
| Speculation-Rules |
| Status-URI |
| Strict-Transport-Security |
| Sunset |
| Supports-Loading-Mode |
| Surrogate-Capability |
| Surrogate-Control |
| TCN |
| TE |
| Timeout |
| Timing-Allow-Origin |
| Tk |
| Topic |
| Traceparent |
| Tracestate |
| Trailer |
| Transfer-Encoding |
| TTL |
| Upgrade |
| Upgrade-Insecure-Requests |
| Urgency |
| URI |
| Use-As-Dictionary |
| User-Agent |
| Variant-Vary |
| Vary |
| Via |
| Viewport-Width |
| Want-Content-Digest |
| Want-Digest |
| Want-Repr-Digest |
| Warning |
| Width |
| WWW-Authenticate |
| X-Content-Type-Options |
| X-DNS-Prefetch-Control |
| X-Forwarded-For |
| X-Forwarded-Host |
| X-Forwarded-Proto |
| X-Frame-Options |
| X-Kubernetes-Pf-Flowschema-Uid |
| X-Kubernetes-Pf-Prioritylevel-Uid |
| X-Permitted-Cross-Domain-Policies |
| X-Powered-By |
| X-Robots-Tag |
| X-XSS-Protection |