Client-side logging and security

pulse00 · September 20, 2017, 3:49pm

I’m wondering what’s the best practice to avoid misuse of sentry logging endpoints which are used by client side javascript applications.

Right now it’s possible to set “Allowed Domains” for each project, meaning any http request not having an “Origin” of one of these domains will be rejected.

However, malicous users could easily script an attack on that endpoint and simply set the “Origin” header to an allowed value.

matt · September 20, 2017, 4:56pm

There’s not realistically anything we can do to prevent that. It’s the same risk with any API key used by a client side application.

We do provide a way to generate multiple DSNs and revoke them. So if it were being abused, you could revoke and issue a new one.

Topic		Replies	Views
Protect against log injections	4	1954	October 25, 2019
Web API - Invalid origin SDKs	3	2474	December 1, 2020
No ‘Access-Control-Allow-Origin’ header error when sending logs	0	2256	July 14, 2017
JS - how avoid anyone mess with my log?	1	1247	July 24, 2017
Multiple domains on a project	1	2343	February 21, 2022

Client-side logging and security

Related topics