About data storage and privacy

We store and make available request and response data via the web interface and API. Due to our redaction process, only non-sensitive or benign portions of the request are ever sent to the platform backend.

Limitations and considerations

Keep these things in mind:

  • Data can only be extracted within 24 hours of its creation.
  • We store request and response data for 30 days and then delete it.
  • We use the collected request data to help identify and block attacks to your web application. We never attribute any data back to your organization or end users.

Response data storage

We only collect metadata (e.g., response codes and response headers) from response records.

Request data storage

From request records, we collect and store two types of data:

  • Time series data: the number of signals (e.g., XSS, SQLi, 404s) observed per minute. All time series data is available via graphs in the web interface.

    An example graph showing the number of injection attacks received over the last 24 hours, broken up by attack type.

  • Individual request data: detailed information about requests (e.g., originating IP address and request parameters). We store individual request data based on storage categories, site alerts, and the value of the Request logging setting for request rules.

    A screenshot of the requests page with example requests.

How request data storage works

When requests are made to your web application, the Signal Sciences agent tags the requests with the appropriate signals and sends the signals to our cloud-hosted collection and analysis system. The system then counts the number of requests that were tagged with a particular signal during one minute periods and makes this data available via time series graphs in the web interface.

The Signal Sciences agent also determines which incoming requests we should store individual request data for. Individual request data is detailed information about a request record (e.g., originating IP address and parameters). To identify the requests that need capturing, the agent uses:

  • the value of the Request logging menu from request rules. Specifically, we log requests that meet the criteria of a request rule with a Request logging value of Sampled.
  • site alerts when the agent mode is Blocking or Not blocking. Specifically, when a system site alert flags an IP address, we log a sample of subsequent requests that are tagged with an attack signal and that are from that IP address.
  • storage categories, which are based on signal type. For example, we store the individual request data for all requests that are tagged with the SQLI attack signal because requests that are tagged with an attack signal fall into the all storage category.

After identifying the requests that need capturing, the agent redacts sensitive data from the selected requests. By default, the agent redacts certain data (e.g., passwords, session tokens, and tracking cookies). The agent also redacts custom fields that you identify. For example, if your password field is named foobar instead of password, you can create a custom redaction for the foobar field.

Next, the agent sends the redacted requests to our system and our system makes the individual request data available via the web interface and API.

We store both the time series data and the individual request data for 30 days and then delete it.

Storage categories

Storage categories help determine which request records we store individual request data for. They are based on the type of signals that requests are tagged with.

Storage categoryCategory applies toWhat data is stored
AllRequests that contain at least one attack signal (e.g., SQLi and XSS) or one CVE signal applied by a virtual patching ruleWe store individual request data and time series data from all requests that fit into this storage category.
SampledRequests that don't fit into the all storage category and that contain at least one custom signal or one anomaly signal (e.g., HTTP 404 Errors and Tor traffic)We store individual request data from a random sample of requests that fit into this storage category. We also store time series data from all requests that fit into this storage category.
Time series onlyRequests that only contain informational signals or signals from API or ATO templated rulesWe don't store individual request data from requests that fit into this storage category. However, we store time series data from all requests that fit into this storage category.
Not storedRequests that aren't tagged with a signalWe don't store individual request data from requests that fit into this storage category.

Deleting stored data

If you find information in the raw data that you want to delete, submit a support request with the date range that you want us to scrub.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.