Encrypting/encoding of API key?

[adamk9k]

Hey, I'm trying to set up Faro with an existing application and see that the Api Key is sent unencoded in the header of the request. If someone copies this they could flood our servers with malicious requests. I searched the docs but couldn't find anything related to this. Is this the only option to communicate with the Agent?

[Memfisrain]

Vote up for that topic

[codecapitano]

Hi @adamk9k

The Api Key is a discriminatory key that we need rather than something super secret.
(The naming "Api Key" is weak and we intent to use it).

Access to the endpoint is protected by the the api key (static header), the CORS policy, rate limiting and the payload size limit?
You'll find similar abuse prevention mechanisms in other frontend agents too.

Cheers,
Marco

/cc @cedricziel

[adamk9k]

Makes sense, thank you. We will be sure to pay attention to the cors and rate limiting. Can I read more about the general payload size? I was thinking to check also the format but if we can expected a certain size, that is also great.

[codecapitano]

Hi @adamk9k

Payload sizes may vary for several reasons like:

• Users can provide additional attributes to most of the Faro APIs like pushEvent() for example.
• If people decide to add the Web-Tracing instrumentation the payload size will increase. This is because this instrumentation uses OpenTelemetry under the hood which has a different, more verbose, data format as Faro
• People can use the OtlpHttpTrasnport to transform the Faro payload to to the Otlp format (this is mostly for users which want to stay vendor agnostic and send data to their own Otel collector)
• Users can define change batch size / timeout which has an influence on the payload size

At the moment there is an upper limit which is forced by the beacon spec:[1]

• For beacon requests the body limit for keepalive requests is 64KiB[1][2].
• In future releases we will either provide a mechanism to fall back to other methods and send bigger payloads or split requests and still send them as beacons (in this case 64kib limit will stay).

---

• [1] https://fetch.spec.whatwg.org/#http-network-or-cache-fetch
• [2] https://javascript.info/fetch-api#keepalive

[codecapitano]

Maybe one more thing for clarification:

The "Api Key" as used in Faro is a unique identifier and NOT a key of any sort.

We definitely need to update our docs and deprecate the apiKey property and add a new one with a better name!

/cc @cedricziel

PS:
Thanks s o much for questions like these. This helps a lot to improve the Web-SDK and to make it better ❤️

[adamk9k]

Thank you for the detailed answer, it helped a lot.