Client-side logging and security

I’m wondering what’s the best practice to avoid misuse of sentry logging endpoints which are used by client side javascript applications.

Right now it’s possible to set “Allowed Domains” for each project, meaning any http request not having an “Origin” of one of these domains will be rejected.

However, malicous users could easily script an attack on that endpoint and simply set the “Origin” header to an allowed value.

There’s not realistically anything we can do to prevent that. It’s the same risk with any API key used by a client side application.

We do provide a way to generate multiple DSNs and revoke them. So if it were being abused, you could revoke and issue a new one.