Configuring web applications
Once you select the Web application type, a Web Configuration section appears with several tabs containing various configuration options:
Understanding URL patterns
The URL match patterns have the following structure:
<scheme>://<host><path>
The URL match patterns can contain wildcards, but a port number cannot be specified.
The system forces the use of a wildcard for the scheme *://<host><path>, so it always matches both HTTP and HTTPS.
The user administrating the business applications, views and enters patterns with a simplified structure:
<host><path>
Internally, all the software components must handle the full URL match patterns, including the scheme:
<scheme>://<host><path>
Pattern validation logic
The application configuration module uses the following set of rules to verify the pattern before saving it:
The user must enter at least one URL match pattern.
Today, specifying a scheme like
http://</code>or<code>https://is not supported, it must be*://If the user does not specify
*://the form automatically adds the*://prefix.If the user enters a URL with a port number, the form displays an error message.
The host component can start with
*.followed by part of the fully qualified domain name (FQDN). Note that this pattern also matches a hostname that is exactly the expression entered after the*.wildcard.The host component must end with a complete and valid domain name if it starts with a
*.wildcard.The host component can just contain a local hostname (for example, no domain name) if it does not start with a
*.wildcard. This is to support internal web applications that do not use FQDN.You must specify the path with at least
/*. If the user does not enter a path, the form logic appends/*to match all paths.The path must end with a
*wildcard. If the path does not, the form logic appends*to the pattern.The path cannot contain more than one
*wildcard.The pattern must not contain a query string
(?...). If the user enters a URL with a query string, an error message appears.The pattern must not contain a fragment
(#...). If the user enters a URL with a fragment, an error message appears.Validation logic prevents patterns that intersect each other across all the applications.
The entire match pattern must validate as a standard URL after adding an
http://prefix and replacing all wildcards with arbitrary words. For example, if the user enters the pattern*.example.com/foo/*the expanded formhttp://www.example.com/foo/barcan be easily validated using a standard URL validation library.Entering only a domain name for a host part like
example.comis valid. It will not match, however, the URL name with a hostname likewww.example.com.The form logic auto-corrects the pattern entered by the user, it does this immediately after the textbox loses focus, and the user interface allows the user to see the change before the form is submitted.
A pattern intersects another pattern if at least one URL that is matched by both patterns exists. Explicitly, patterns A1 and B1 intersect if all of the following conditions are true:
After trimming the eventual wildcard from the beginning of the host parts,
A1.hostends withB1.hostorB1.hostends withA1.host.After trimming the wildcard from the end of the path,
A1.pathstarts withB1.pathorB1.pathstarts withA1.path.
Examples of valid patterns
www.example.com/*matches all URLs that start withhttp://www.example.com/orhttps://www.example.com/.*.example.com/*matchesexample.com,www.example.com,intra.example.com,support.intra.example.com, …*.intra.example.com/*matchesintra.example.com,support.intra.example.com, ...example.com/*matches only*://example.com/*.www.example.com/foo/*matches all URLs that start with*://www.example.com/foo/.myintranet/*is a valid pattern for an internal application.www.example.com/foo/*is an existing app match pattern. In this case, the following patterns can be used for any of the applications:*.example.com/bar/*www.example.com/foobar/**.another-example.com/foo/*test.example.com/foo/*
Examples of invalid patterns
www.example.*/*https://*.example.com/*because of the schemewww.*.com/*www.*.example.com/*www.example.com/foo?barbecause query string components are not supported*/*www.example.com/foo#barbecause hash components are not supported in the application URL*.example:1234.com/*because of the port (use*.example.com/*instead, all ports are supported)*.example.com/#foo*example.com/*because there is no dot following the star in the host componentwww.example.com/foo/*/bar/*only one wildcard is allowed in the path*.customer.*.example.com/*only one wildcard is allowed in the host partwww.example.com/foo*is an existing app match pattern. In this case, you cannot use the following intersecting patterns for any of the applications:*.example.com/foo/*www.example.com/foobar/*www.example.com/fo*www.example.com/foo/bar/*
Examples of auto-corrected patterns
www.example.comchanges to*://www.example.com/*www.example.com/changes to*://www.example.com/*www.example.com/foo/changes to*://www.example.com/foo/*www.example.com/foochanges to*://www.example.com/foo/*example.comchanges to*://example.com/**.example.comchanges to*://*.example.com/*
A specific use case for non-standard ports
Access the corporate document management system using the following URL:
https://prod.doxydoc.local:32890/start.php
During the business application configuration, you must use the following pattern:
*://prod.doxydoc.local/start.php*
Collecting URLs
URL table is one of the widgets displayed on the dashboard for Speed and Reliability. By default, the system does not store URLs, as they may contain private or sensitive information, especially in custom-written applications. If this is not a concern, Nexthink recommends activating the Collect URLs checkbox as it helps with Key pages configuration. Refer to the Key pages documentation for more information.
When you enable Collect URLs, users with appropriate permissions can view the individual URLs that employees visit.
When you disable it, the system does not collect any URLs at the extension level.
The system renders a truncated URL to preserve data privacy using a sanitizer.
Sanitizing URLs
Whenever possible, Nexthink sanitizes all collected Uniform Resource Locators (URLs) to conceal sensitive information. This is done in an attempt to remove personal data, potential configuration secrets and certain query string patterns.
A URL is a string that serves as a unique identifier for a web resource. A URL consists of four primary components:
The origin includes the protocol (
httporhttps), the hostname (http://nexthink.com) and the port number (80or443), for example,https://nexthink.com:443.The pathname specifies the exact location of the resource on the server, for example
/company/about-us.The hash is an optional component of the URL that stores information for the browser, such as the current state of the web page or user preferences. It also begins with a hash (
#) and is followed by a string, for example, in the URLconfluence.nexthink.com/pages/urlsanitisaation#url-sanitisation-rules, the hash segment is#url-sanitisation-rules.The query parameters are optional pairs of keys and values that provide additional information to the server. They start with a question mark (
?) and are separated by ampersands (&), for example,?projectKey=DCBSM&view=detail. The query parameters are systematically sanitized. The system replaces eachkey-valuepair with[key], for example:https://confluence.intra.nexthink.com/pages/viewrecentblogposts.action?key=AppExEPsanitized with[key]:https://confluence.intra.nexthink.com/pages/viewrecentblogposts.action?[key]
URL sanitization mechanism
The URL sanitization mechanism is intended to strip sensitive information from URLs before transmitting them to the server by:
Initially removing all query parameters, such as
?key1=value1&key2=value2, retaining only the keys enclosed in square brackets, like?[key1]&[key2].Replacing any other anchors in the hash segment with the code
[anchor].Undergoing further URL sanitization based on specific patterns as described below.
Finally, truncating any excessive parts of the URL.
Remember that this process ensures that sensitive data is not inadvertently exposed in URLs.
Pattern matches and tag replacements
Examples of general codes the system uses to sanitize an application’s URL:
[code] | Description |
|---|---|
[uuid] | Universally Unique Identifier (UUID) ( |
[id] | ID number: sequence of alphanumeric numbers staring with |
[json] |
|
[gib] | Identification number, for example: the email ID which comes after the identification number: |
[hex] | Hexadecimal value: sequence of at least 33 consecutive alphanumeric values in hexadecimal range: a-f and 0-9. |
[int] | Integer value: sequence of at least 4 consecutive digits. |
These patterns are specified globally for all applications. If any part of the Sanitized URL matches any of the patterns, it will be replaced by the corresponding tag.
Examples:
https://community.nexthink.com/s/profile/0052p00000BURowAAHsanitized with[hex]:https://community.nexthink.com/s/profile/[hex]https://outlook.office.com/mail/inbox/id/AAQkAGJhYmFkMTUxLTQ5NzgtNDNlZi1iZDkzLTQ2YzEwNDIwYzA0YgAQAKafeoP2TMVDozSlcBq2JGU%3Dsanitized with[gib]:https://outlook.office.com/mail/inbox/id/[gib]
URL truncation
There is a maximum acceptable length for the Sanitized URL. If the Sanitized URL exceeds the limit, Nexthink removes the excess and adds an ellipsis (...) to show that some of the URL is missing.
Summary
The following table shows the process of sanitizing URLs:
Sanitization Step | Description | Example URL | Sanitized URL |
|---|---|---|---|
Sanitization of query parameters | The key-value pairs are replaced by keys |
|
|
Sanitization of hash segment | The anchor hash segment and the query hash segment are obfuscated |
|
|
Sanitization of URL tokens | The URL is sanitized using pattern matches and tag replacements |
|
|
URL truncation | The URL is truncated if it exceeds the maximum length |
|
|
Activating Soft navigations
Activating soft navigations enables the measurement of the speed of asynchronous page loads where the browser does not load a new page. They are very common in single-page applications (SPA). Soft navigations measure the time it takes a page to stabilize. Refer to the Speed documentation for more information.
Some web applications work in such a way that the page is never completely stable due to background processes. In such cases, soft navigation measurements can report longer than usual page load times. This is why soft navigations are disabled by default. Turn the feature on only when you verify that the application page is stabilized.
Connecting with existing campaigns
Nexthink Applications makes it possible to connect with existing campaigns.
To make the connection, pick the unique identifier (UID) from Campaigns and paste it into the Engage campaign UID text field of the application configuration screen. Note that an Engage campaign license is required.
You can also access the UID value by choosing Campaigns from the main menu and selecting the campaign you wish to connect to from the list. You can locate the UID of the campaign as part of the URL.
Once the campaign is linked, the Sentiment tab on the Applications page becomes visible. Note that you must have the right permissions to access it.
Clicking on the Sentiment tab opens the relevant Campaigns dashboard in a new tab.
RELATED TASKS