Client-side logging and security

pulse00 · September 20, 2017, 3:49pm

I’m wondering what’s the best practice to avoid misuse of sentry logging endpoints which are used by client side javascript applications.

Right now it’s possible to set “Allowed Domains” for each project, meaning any http request not having an “Origin” of one of these domains will be rejected.

However, malicous users could easily script an attack on that endpoint and simply set the “Origin” header to an allowed value.

matt · September 20, 2017, 4:56pm

There’s not realistically anything we can do to prevent that. It’s the same risk with any API key used by a client side application.

We do provide a way to generate multiple DSNs and revoke them. So if it were being abused, you could revoke and issue a new one.

Topic		Replies	Views
Protect against log injections	4	1711	October 25, 2019
Web API - Invalid origin SDKs	3	2278	December 1, 2020
No ‘Access-Control-Allow-Origin’ header error when sending logs	0	2156	July 14, 2017
Multiple domains on a project	1	2091	February 21, 2022
Allowed domains - using wildcard with part of domain	3	6612	May 13, 2022

Client-side logging and security

Related Topics