Advanced Policy — Building Apps & Custom Data Types
A practical guide for turning captured browser traffic (an HTTP Archive, or HAR file) into the two policy objects you can only build by inspecting real traffic:
- an Application — the URL match that tells Shield which requests a policy applies to, and
- a Custom Data Type — the detector that tells Shield what/where the sensitive value is inside the body.
These are the pieces you extract from the HAR. The remaining objects — Mask Formats, Obfuscations, and Rules — are configured the same way regardless of the traffic and are already documented in the Admin Console docs:
This guide links to them where they fit into the flow, but doesn't re-explain them.
The mental model
Shield never looks at the screen. It looks at the HTTP request/response bodies flowing through the proxy (ICAP) or the scanning API. So the job is:
"Find the exact HTTP message that carries the data, describe where the value lives inside that message (→ Custom Data Type), and describe which requests to watch (→ Application)."
A HAR file is a JSON recording of every HTTP request/response the browser made while you reproduced the user's action. Open it, find the one request that matters, and the two things you can't get any other way are right there: the URL (→ Application) and the body shape (→ Custom Data Type).
The pipeline
┌────────────┐ ┌────────────┐ ┌──────────────────┐ ┌──────────────┐
│ 1 Capture │ → │ 2 Analyze │ → │ 3 Custom Data │ │ 4 Application│
│ HAR │ │ the HAR │ │ Type (DSL) │ + │ (URL regex) │
└────────────┘ └────────────┘ └──────────────────┘ └──────────────┘
browser find THE describe WHERE describe WHERE
DevTools request the value lives the request goes
▲ ▲ │ │
│ │ └──────────┬──────────┘
the focus of this guide ▼
wire into an Obfuscation + Rule
(see the Admin Console docs)
| Shield object | Answers | Built from (HAR field) | Covered here? |
|---|---|---|---|
| Application | Where does this request go? | request.url, request.method |
✅ |
| Custom Data Type | What/where is the value inside the body? | request.postData / response.content |
✅ |
| Mask Format | How should the value be transformed? | (chosen by use case) | → admin docs |
| Obfuscation | Pairs a Data Type with a Mask Format | (composed) | → admin docs |
| Rule | What action, on request or response? | request vs. response direction | → admin docs |
Read these in order
- Capturing a HAR file — record a clean capture in the browser, then import it into Postman as a collection. Plus how to sanitize before sharing.
- Analyzing the HAR in Postman — the visual workflow: finding the one request that matters and reading request vs. response bodies.
- Custom Data Types — how to turn a body shape into a detector with the JSON Search DSL.
- Applications & URL regex — turning
request.urlinto a URL match that's precise but not brittle. - End-to-End Example — a Salesforce "Apply Discount" request, turned into an Application + Custom Data Type end to end.
TL;DR tool choice
- Capture: the browser's built-in DevTools → Network tab (Chrome, Edge, or Firefox). Free, already installed, and it produces the exact HAR Shield needs.
- Analyze (recommended): Postman — import the HAR as a collection, browse requests visually, pretty-print the JSON/GraphQL bodies, and re-fire the one you care about.
- Analyze (alternative): Chrome / Firefox DevTools — import the HAR back into the Network panel and inspect it like a live capture.
A HAR is as sensitive as a password file
HAR captures contain live session tokens, auth headers, and real PII. Keep analysis local (Postman or your own browser), and sanitize before a HAR ever leaves your machine.