Tracking non-web apps

By default, Castle assumes that events are tracked from a web server environment, more specifically all events coming from your backend needs to reference the __cid tracking cookie set by the Castle JavaScript. This is handled automatically by the backend libraries.

However, if you have activity generated from other sources, such as a mobile app or a REST API, you will need to set the X-Castle-Source header in order to tell Castle to make adjustments to its threat detection logic.

X-Castle-Source Description
web default The backend library requires the tracking cookie to be set and try to match activity and properties tracked from the client and the backend.
backend When you are not using Castle.js to track client activity. Instead you track events, and optionally page views, from your backend. In this mode Castle will not look for a tracking cookie.