Doesn't appear to be secure #38
Comments
|
The iKey is not secure, and you don't even have to go the extreme of seeing the payload in the Network tab, as part of initializing the SDK your Javascript code or the initial page will and MUST include it. There is a nice long thread on this here microsoft/ApplicationInsights-JS#281, but the short answer is that there is no way to secure this value and it is not considered to be a secret. |
|
@MSNev just be clear you won´t support Azure AD authentication for Application Insights where you add the login credentials to the appInsights.defaultClient as described here in the future: Or is this only related to backend clients ? |
|
Correct, we currently have no active plans to implement this from the client side, and yes this is currently designed for "server" (backend) systems ingestion where the keys can be more tightly controlled. While conceptually it would seem that having "user" AAD credentials passed down would work there would be no way to send any telemetry "until" the user has authenticated, or to securely have any "standard" authentication available from the clients. |
|
This Issue will be closed in 30 days. Please remove the "Stale" label or comment to avoid closure with no action. |
Hi,
On testing this I noticed the following:
From the Network tab it calls https://dc.services.visualstudio.com/v2/track with the instrumentation key in the payload
Which means I can steal these two bits of information and use Postman to directly insert stuff in our insights database..
Which I did
Expected behavior
I'd expect that you could lock this down in DevOps with something like a setting to restrict which domains the info came from?
Otherwise someone could skew your analytics/bombard your analytics DB!?
Can you advise?
The text was updated successfully, but these errors were encountered: