Telemetry Beacons

CSD telemetry operates in two phases. First, instrumentation scripts load from the application origin via standard GET requests — these inject CSD’s monitoring code into the page. The script URL pattern follows the format https://<collection-domain>/__imp_apg__/js/<tenant-script>.js, though the exact path varies by deployment. Once initialized, the scripts periodically send telemetry back to F5 via POST requests known as beacons. These beacons are sent to F5-operated signal collection domains (*.zeronaught.com), not to the application origin.

Property	Value
Script loads	CSD instrumentation scripts loaded via GET requests on the application origin — filter for __imp_apg__ or zeronaught in DevTools to identify them
Beacon destinations	POST to F5 signal collection infrastructure (e.g., us.gimp.zeronaught.com, csd.zeronaught.com)
Payload format	Encoded binary — not human-readable JSON
Frequency	Periodic during page lifetime; additional beacons fire on specific events (form field access, new script load)

What beacons report

CSD beacons carry script behavior metadata, not user input:

• Script inventory — which scripts loaded on the page and from which source domains
• Form field access events — which scripts read or interacted with which input fields (field names and types)
• Page metadata — current URL, timestamps, page lifecycle events

CSD is designed to report script behavior metadata — field names, input types, and access patterns — rather than user-entered form data. The F5 CSD Privacy Statement describes CSD as collecting “information about which assets are accessing various page elements or data structures,” focusing on script behavior rather than user input content.

Observe beacons in DevTools

1. Open Chrome DevTools (F12) and switch to the Network tab
2. Browse the application or interact with form fields to generate traffic
3. Type zeronaught in the filter bar to isolate CSD traffic — you will see the script load (GET) and the telemetry beacons (POST) to us.gimp.zeronaught.com
4. Look at the Method column: GET entries are the CSD instrumentation code loading; POST entries named dip are the telemetry beacons carrying signal data back to F5
5. Click a dip beacon to inspect its headers and payload; note that the request body is encoded binary, not human-readable JSON

CSD beacons vs attack exfiltration

CSD telemetry beacons are POST requests sent to F5-operated infrastructure (*.zeronaught.com domains). A malicious formjacking script, by contrast, exfiltrates stolen data to an attacker-controlled domain — typically via fetch(), XMLHttpRequest, or image beacon (new Image().src).

Both CSD beacons and attack exfiltration are cross-origin requests, but the key differences are destination and content: CSD sends script behavior metadata to known F5 infrastructure, while exfiltration sends user-entered data (passwords, card numbers) to an attacker’s server. This distinction is central to how CSD detects attacks — see CSD Capabilities — Detection Boundaries for what CSD can and cannot observe.