We have the capability to obfuscate the IP addresses of your users when they make search request to Algolia. As of 2021, this feature is turned on by default.
What does this feature do?
The feature removes the last portion (octet) of the IP so it's no longer possible to identify the user behind the request. For your information:
-
for IPv4, we can mask the last 8 bits (1 byte) of the IP address
-
for IPv6, we can mask the last 72 bits (9 bytes) of the IP address
The obfuscation of the IP is done only for search/browse requests because we still want to identify the IP for write operations like delete index for auditability.
Why do we keep the IP by default?
The IP is used by your Algolia analytics to identify a user if you do not provide a userToken.
It allows us to:
-
Group sequential queries together to find the final query (analytics aggregation)
-
Count unique users
If we disabled it by default, all existing implementations without a userToken would have all their analytics metrics negatively impacted.
-
Incorrect search count (up to ~5% delta on tested apps)
-
Incorrect user count (up to ~8x on tested apps)
-
Potentially unusable A/B testing feature
How do I enable it?
Since 2021, IP Obfuscation is enabled by default, so there's no need to ask us to enable it.