This article primarily covers the configuration needed to dynamically insert Darwinium JavaScript profiling into pages when using a CDN (Edge) deployment.
On Edge deployments, this process is a Darwinium journey configuration task rather than a direct developer task.
- You may wish to first familiarise yourself with the Darwinium Portal, basics of Authoring Journeys and Deployment.
- For overview and context of the JavaScript Profiling see JavaScript Profiling
- If not on Edge/CDN deployment, see Tags Deployment for inserting and initiating JavaScript Tags manually.
Profiling Insert -> Collect Flow
Prior:
- Darwinium .journey.yaml configuration file has been created, built and deployed
- Journey file has been authored to define steps that create:
- worker on GET request /loginpage to insert Darwinium profiling upon page load.
- worker on the subsequent POST request /login to consume the resulting profiling and make decision.
Realtime User flow:
- End user performs /loginpage GET request to load page.
- On the response, the Darwinium Edge worker inserts the JavaScript profiling code directly into the page, at the location specified in journey configuration file.
- User proceeds on page (eg. filling credentials)
- Upon user initiating /login POST request (eg. login button pressed), the profiling code is stopped, and collects it as a protobuf encoded profileBlob.
- The profileBlob is added as a header dwn-profiling to the /login POST request.
- The Darwinium worker on the /login POST request route extracts the profileBlob from the dwn-profiling header of the request. The dwn-profiling header is not passed to the origin.
- The profileBlob is decoded back into the useful profiling data when sent to Darwinium, and is available to use in risk decisioning and investigations on this Darwinium event.
- (optional) While async by default, the journey configuration file can instruct the worker to wait for attributes like Darwinium JourneyID or risk score to run.
- those can then insert into header to the origin for consumption and decisioning.
- adding these dependencies do incur latency of the worker computation (eg. computing journey_id) or callout to Darwinium (full risk score)

The profileBlob inserted as dwn-profiling varies depending on config but can be 4-5kb. You may need to increase header size permitted on the request to allow it.
Configuration
The below configuration will instruct Darwinium to insert and collect profiling against a page.
There are often site security policies that Darwinium profiling needs to be declared on to operate:
- Content Security policies of permitted connections
- Permissions policies
- Header enforcement
See Javascript Profiling for these considerations
Install Snippet
- Enter Workflows of Darwinium Portal and Install the Darwinium Profiling snippet
- Marketplace (right hand tabs) > Install. Snippets enable templated options while journey editing.


- The relevant files are downloaded into your workflows:
- dwn_profiling.snippet: Enables option in journey config
- fpjs > dwn_profiling.js: The actual JS profiling code that will be inserted.
- Marketplace (right hand tabs) > Install. Snippets enable templated options while journey editing.
- Add the snippet to your journey.yaml file. (See Journeys)
- open the journey.yaml file > Configuration (top) > Snippets > Add snippet > ...
- specify the path to the snippet just installed. Likely
dwn_profiling.snippet - You may need to now close and reopen journey for snippet to take effect.
Page insert/extract config menu
-
Open your journey file and the step where profiling desired. It is recommended on GET requests, and to rerun profiling on multiple pages in the journey to detect anomalies

-
Go to Data Mappings > Response > Body Mappings. This is where we can instruct the worker to insert or extract things from the response request.
-
Set the configuration to expect a page
- Body Type -> Regular
- Body Rule -> With HTML/XML Path
- Mode -> html
-
This menu allows operations to be performed against locations in the page. The paths should be specified as XPath (see Injection and Extraction Menu)

Insert profiling into desired page location
Darwinium recommends inserting profiling in the head with XPath
/html/head
or if performance a concern and willing to trade off quality and presence of that profiling
/html/body
See JavaScript profiling.
- If the snippet was installed successfully, you will get option in drop down to Inject darwinium profiling

Configure the profiling template
The template has options to configure, based on:
- the structure of the GET request page being inserted into
- the request intended to collect and transmit the profiling on
Hover the (i) for inline help.
Application HTTP Requests
What type of request is expected to add the collected profiling to?
Tip: using developer console network tab can isolate the Type of the intended request.
XMLHttpRequest: JS is attached towindow.XMLHttpRequestthat inserts a header named dwn-profiling into the request. XMLHttpRequest is also known as Ajaxfetch: JS is attached towindow.fetchthat inserts a header named dwn-profiling into the request.none: dwn-profiling is inserted as a new form input field on HTTP form POST requests.
Fetch/xhr URL Restricted to
Use this parameter to restrict the injection of the dwn-profiling header in application XMLHttpRequest or fetch requests. That is important if the site enforces and rejects requests containing unexpected headers.
- For
fetchandXMLHttpRequest: This is the URL prefix of the request to collect profiling on, often a POST. Profiling data will only be inserted to fetch or XMLHttpRequest requests that are made to this URL. e.g./example/login- URL query parameters are ignored as part of the URL restriction.
- For
form posts: This is not used and should be set tononeas best practice.
Note
nonewill disable HTTP header injection on all requests.anymeans all requests to the same domain will have profiling headers injected. You can use this when there could be multiple different follow on POST requests and comfortable that dwn-profiling header will be added to any follow on request.
Only use any if certain your site security will permit the dwn-profiling header on any request
Form Post CSS Selector
- For HTTP form post requests: Restricts dwn-profiling form post injection to only ones that match the configured CSS selector.
- Example: Any of the following CSS Form Selectors would work
form#my_form_id
form[action='/example/post']
form[method='post']
For the following HTML form
<form action="/example/post" method="post" id="my_form_id"/>
You should use a CSS selector that identifies the intended form(s) and will likely be robust to page changes. If no form with the CSS selector is found it will fail open, but profiling will not be attached to any request anymore.
- For
XMLHttpRequestandfetch: This is not used and should be set tononeas best practice.
Enable Keyboard Biometrics
Default = true
Leave on if intention to collect behavioural biometrics data about how the user types and interacts with mapped input text field, including:
- Cadence
- Shortcut Usage (autofill, paste, copy, cut)
- Navigations (tabs, arrows, backspaces, deletes)
And generating Darwinium behavioural signatures.
Enable Mouse Biometrics
Default = true
Leave on to collect mouse stroke data including: Clicks (left, right, middle, scroll click), Num movements, Movement profile (curvature, inflexion, distance), Movement timing (dwell time, move/scroll interval, speed)
Mouse off screen.
Enable Touch Biometrics
Default = true
Leave on to collect tap data on mobile browsers including: Tap profiles (size, pressure, radius), Num swipes, Swipe profile (left/right handedness, curvature, inflexion, distance), Swipe timing (dwell time, move/scroll interval, speed)
Enable Sensor Biometrics
Default = true
Leave on to collect sensor data on mobile browsers including: Accelerometer
Gyroscope, Magnetometer, Proximity sensor, Light sensor
Enable Geolocation
Default = false
Use the Geolocation API to request user precise location. This is very useful as a trust indicator and more accurate than other forms of browser geolocation profiling by utilising combination of GPS, WIFI and IP.
Geolocation toggled on will trigger browser notification asking user's that you have requested their location and to Accept or Deny. The permission will be asked again upon user clearing cookies.
Enable Device Sensor (mainly for iOS)
Default = false
Leave on to collect sensor data on iOS devices.
Sensor may trigger a permissions notification
Single Page App/Shadow DOM Support
Default = false
Select this option only if your form or keyboard input elements are:
- Dynamically rendered via JavaScript (as part of a single page application)
- Nested beneath a Shadow DOM on a page.
- This option can be false when neither of those are true, or also if keyboard biometrics is disabled.

The consideration for having certain toggles off is to:
- reduce the size of profileBlob
- reduce size of Darwinium JS profiling code
- not trigger permissions request notification to user (note: those are all false by default).
However, for best decisioning, Darwinium recommends at least leaving these at their defaults.
Those will improve data coverage and hugely benefit the separation of good vs. bad users, human user vs. automation, by monitoring user behaviour across the journey.
Add keyboard biometrics contexts (optional)
A small but separate JS code snippet is inserted for additional profiling of keyboard interactions against specific input text fields on the page.
- In same insertion menu, add a new line with +
- As with profiling, Insert into desired location on page (recommend
/html/head) - Select Enable Keyboard Biometrics On Input Field... from dropdown

In CSS Input Selector of the Input Field
- The CSS Input Selector of the input field on the page to which Darwinium Keyboard Biometrics will be attached.
- The CSS Selector must be explicit enough to select only the correct input field. Care must be taken to ensure that the CSS Selector does not match multiple input fields on the page.
- Example CSS Input Selectors:
input#my_email_id
input[name='email_example']
input[id='my_email_id']
input[type='email']
For the HTML Input:
<input type="email" id="my_email_id" name="email_example"/>
Tips:
- Right click > inspect element on the input fields of interest to find their properties
- Use web developer console to confirm validity of CSS selector in isolating an input field
document.querySelector("input[id='my_email_id']")
Context of the Input Field
Choosing which Darwinium CONTEXT to assign the input field. These are from a fixed list and should match the purpose of the field as close as possible. The CONTEXT are used to search for the keyboard biometrics attributes associated with that text field.
ACCOUNT_NUMBER
ADDRESS_STREET1
ADDRESS_STREET2
ADDRESS_STREET3
BANK_ACCOUNT_NUMBER
BANK_ACCOUNT_ROUTING_NUMBER
CREDIT_CARD
CURRENCY_AMOUNT
DATE_OF_BIRTH
DRIVERS_LICENSE
EMAIL
FIRST_NAME
FULL_NAME
GENERAL_PURPOSE_ONE
GENERAL_PURPOSE_TWO
IBAN
LAST_NAME
LOGIN
PASSWORD
POLICY_NUMBER
SOCIAL_SECURITY
TELEPHONE
USER_NAME
It is advised to try and keep a 1:1 mapping between input field in journey to an assigned CONTEXT.
Keyboard behaviour risk assessments are improved with contexts because of vastly different expected interaction behaviour on different types of fields.
Examples:
- Someone pasting their first name in a registration form is far less expected and riskier than pasting their national identity number.
- A One Time Passcode input text field is expected to have a long hesitation before being typed in compared to other normal fields.
Deploying the JS profiling to live
The instruction to insert the profiling code will now be compiled upon next commit and build of this journey, and made live upon the deploy of that build.
See Deployment
The Darwinium edge worker will insert the JS (found in fpjs > dwn_profiling.js) into the page on the GET request step, and collected and transmitted in either Header or form body of the subsequent request.
You can verify the profiling is inserted by:
-
inspecting the contents of the page for the Darwinium JS fragments
In <head>:

Main Darwinium JS profiling

Behavioural biometrics keyboard context tagging of the email input field
In <form>:

For form, dwn-profiling form input field that will be inserted -
Observing POST to aps.wowscale.com. This is Darwinium's packet filtering profiling domain that performs a subset of the connection profiling.
You can verify dwn-profiling header is being collected on the request by:
-
In network tab, checking the Header (or Body if form) of the follow on request, usually POST:

-
Checking in Darwinium Portal that profiling.javascript attributes are being populated. Example search:
profiling.javascript.os != null
While Darwinium JavaScript profiling is passive, it is still advised a staging environment is used to confirm normal operation of the site upon the script and header inserts
Additional profiling resources
See JavaScript profiling for additional considerations
See Tags deployment for inserting JavaScript Tags manually