From 1fa853acc320d578190ad197eb9bfd1b7e89c596 Mon Sep 17 00:00:00 2001 From: Steven Swartz Date: Sun, 12 Nov 2023 21:24:04 -0500 Subject: [PATCH 1/3] Document that baggage is sent to external APIs by automatic instrumentation --- content/en/docs/concepts/signals/baggage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/concepts/signals/baggage.md b/content/en/docs/concepts/signals/baggage.md index 5d3ec9734ce8..937a12576d69 100644 --- a/content/en/docs/concepts/signals/baggage.md +++ b/content/en/docs/concepts/signals/baggage.md @@ -34,7 +34,7 @@ retrieve information. OTel Baggage should be used for data that you're okay with potentially exposing to anyone who inspects your network traffic. This is because it's stored in HTTP -headers alongside the current context. If your relevant network traffic is +headers alongside the current context, and may be sent to external APIs by automatic instrumentation. If your relevant network traffic is entirely within your own network, then this caveat may not apply. Common use cases include information that’s only accessible further up a stack. From b34470b0f1a0b23e8830992492c123363df4d4d9 Mon Sep 17 00:00:00 2001 From: Steven Swartz Date: Thu, 16 Nov 2023 22:25:10 -0500 Subject: [PATCH 2/3] Clarify security considerations when using baggage --- content/en/docs/concepts/signals/baggage.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/content/en/docs/concepts/signals/baggage.md b/content/en/docs/concepts/signals/baggage.md index 937a12576d69..9aa8275c83cb 100644 --- a/content/en/docs/concepts/signals/baggage.md +++ b/content/en/docs/concepts/signals/baggage.md @@ -32,22 +32,23 @@ retrieve information. ## What should OTel Baggage be used for? -OTel Baggage should be used for data that you're okay with potentially exposing -to anyone who inspects your network traffic. This is because it's stored in HTTP -headers alongside the current context, and may be sent to external APIs by automatic instrumentation. If your relevant network traffic is -entirely within your own network, then this caveat may not apply. - Common use cases include information that’s only accessible further up a stack. This can include things like Account Identification, User IDs, Product IDs, and origin IPs, for example. Passing these down your stack allows you to then add them to your Spans in downstream services to make it easier to filter when you’re searching in your Observability back-end. -There are no built-in integrity checks to ensure that the Baggage items are -yours, so exercise caution when retrieving them. - ![OTel Baggage](/img/otel-baggage-2.svg) +## Baggage security considerations + +Sensitive Baggage items could be shared with unintended resources, like third-party APIs. +This is because automatic instrumentation includes Baggage in most of your service’s network requests. +Specifically, Baggage and other parts of trace context are sent in HTTP headers, making it visible to anyone inspecting your network traffic. +If traffic is restricted within your network, then this risk may not apply, but keep in mind that downstream services could propagate Baggage outside your network. + +Also, there are no built-in integrity checks to ensure that Baggage items are yours, so exercise caution when retrieving them. + ## Baggage is not the same as Span attributes One important thing to note about Baggage is that it is not a subset of the From 703c1d2cda623c1c8c081f2c084855ca147a32dd Mon Sep 17 00:00:00 2001 From: swar8080 Date: Wed, 22 Nov 2023 08:26:25 -0500 Subject: [PATCH 3/3] fixes formatting --- content/en/docs/concepts/signals/baggage.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/content/en/docs/concepts/signals/baggage.md b/content/en/docs/concepts/signals/baggage.md index 9aa8275c83cb..c51c416c1090 100644 --- a/content/en/docs/concepts/signals/baggage.md +++ b/content/en/docs/concepts/signals/baggage.md @@ -42,12 +42,16 @@ you’re searching in your Observability back-end. ## Baggage security considerations -Sensitive Baggage items could be shared with unintended resources, like third-party APIs. -This is because automatic instrumentation includes Baggage in most of your service’s network requests. -Specifically, Baggage and other parts of trace context are sent in HTTP headers, making it visible to anyone inspecting your network traffic. -If traffic is restricted within your network, then this risk may not apply, but keep in mind that downstream services could propagate Baggage outside your network. - -Also, there are no built-in integrity checks to ensure that Baggage items are yours, so exercise caution when retrieving them. +Sensitive Baggage items could be shared with unintended resources, like +third-party APIs. This is because automatic instrumentation includes Baggage in +most of your service’s network requests. Specifically, Baggage and other parts +of trace context are sent in HTTP headers, making it visible to anyone +inspecting your network traffic. If traffic is restricted within your network, +then this risk may not apply, but keep in mind that downstream services could +propagate Baggage outside your network. + +Also, there are no built-in integrity checks to ensure that Baggage items are +yours, so exercise caution when retrieving them. ## Baggage is not the same as Span attributes