The test-tcell Developer Hub

Welcome to the test-tcell developer hub. You'll find comprehensive guides and documentation to help you start working with test-tcell as quickly as possible, as well as support if you get stuck. Let's jump right in!

tCell service updates


  • Fixed an issue where users with Read-Write access were unable to update a policy which references an IP Group or Custom Regex.


  • Added support for Envoy, an open source edge and service proxy, designed for cloud-native applications. For download and installation instructions see: Installing the Envoy agent.


  • Added support for Rapid7's EU-Central (Europe) datacenter. Please see IPs to allow (EU).


Upgrading to App Firewall v5

Upgrading will require an update to the tCell agent deployed on your application. We recommend upgrading to the latest version of the agent. Or, to find the minimum required version, see the agent-specific release notes.





  • New tCell apps will now have App Firewall v3 rules enabled by default.
  • UI Support added to create App Firewall exclusion rules to target events with no path specifically (Null Path). This requires an up-to-date agent: Java 0.4.4+, .NET agent 0.5.1.
  • Update name validation to permit non-latin character names for users. Users with punctuation in their names are still out of luck.


  • Users who have created still-existing API keys can now be removed. Previously, it was necessary to manually remove the API keys the user had created. (The association between users and API keys is a service-internal detail, there are no user-exposed controls or access relationships between users and API keys.)


  • The Account Takeover Dashboard, the User Report sub-page (accessed by clicking on a username), City was added to the location information in the bottom table, in addition to Country.
  • In the Admin panel, the Users list is now sorted in order of most recent login, with the most recent first, by default.


  • Added support for App Firewall event exclude rules that are disabled. This enables temporary disabling of rules, or creation of rules for review before enabling them.
  • Fixed filtering by method type in the App Firewall Details page.
  • API support for customer API key key management.
  • Several updates to API documentation.


  • Corrected use of capitalized strings in exclude rules for the App Firewall. The UI already tried to help users by lowercasing the entry, but when overriding the value with a capitalized string, the agent in some cases would not match the parameter.
  • Fixed grouping of IP location grouping in the UI when using encrypted values for IP addresses.
  • A variety of in-ui help texts were improved.


  • Fixed an issue that could prevent data response requests for data across a month period. (Example: in some cases an event list for a month period might not have returned any information.)


  • Now catch requests for time windows over 30 days long in the UI to provide clear feedback that this is not supported.
  • Most UI views now refresh to show new data when left idle for a time.


  • Added the ability to create URL-based exclusions to AppFW
  • Added input validation for the Path-based blocking feature
  • Added AppID field to the downloadable CSV of packages
  • CSP misconfig detection improvements
  • Fixed a bug that caused Metrics from "null routes" not to show up on the Routes Dashboard
  • Addressed UI issues that caused poor rendering of the active agent chart when there were a large number of agents
  • Added XXE detection to CMDi detection in AppFW
  • Updated documentation for REST APIs


  • Fixed incorrect links displayed on the Clickjacking card in the Newsfeed
  • Added an API for retrieval of new vulnerability notification events
  • Command Injection (OS Commands) improvement - compound commands will now be whitelisted if individual commands are whitelisted


  • UI - In config download, sort the application list
  • UI - when listing vulnerabilities, uniformly use "-" to indicate both info not available, and no vulnerabilities
  • UI - IP page would display geolocation of previously viewed IP
  • UI - link from vulnerability newsfeed card goes to empty page


  • Added .NET installation instructions to admin view


  • Made improvements to WebHooks Beta - additional fields including app_id and alert-relevant fields
  • Fixed a bug with some versions of FireFox not being able to log in via Google Auth
  • Fixed a bug that caused whitelisted IPs to be flagged as suspicious


  • Data Exposure feature is now only available only on customer request
  • Fixed CORS errors with JSAgent on certain Microsoft browsers


  • Added tCell to the default CSP whitelist
  • Added a test button to WebHooks Beta


  • Added new feature - URL-based blocking


  • Limited the maximum length of a login attack to 72hrs


  • Added support to obtain unstripped URIs from AppFW events


  • Added support to add user notes to any whitelisted/blacklisted IP in policy


  • AppFW UI Refresh


  • Made it so whitelisted inline scripts no longer show up on dashboard
  • General improvements to the AppFW Event Viewer

Updated 4 days ago

tCell service updates

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.