Getting server errors from a server I don't own -- security concern?

#1

I’ve been getting sentries for Django server-side errors for a server I don’t own. Example, in case this is helpful: https://sentry.io/organizations/mit-tab/issues/1023487118/?project=208171&query=is%3Aunresolved&statsPeriod=14d

This should only be possible is someone has my sentry dsn key, right?

Concerned not just because my dsn may be leaked, but because that may mean other secrets are leaked as well

#2

For context: The reason I think I don’t own the server is just because of the URL. Is it possible to get an error for a URL I don’t own if the client spoofs it somehow?

#3

My 1 other thought: I got these errors just as I deployed and created DNS records for my servers. Is there any way that the IP used to point to some other server, but switched to mine, and I just happened to get some requests that were actually just the result of bad DNS caches?

#4

It’s always possible for someone to submit fake data with the DSN. I’d probably just rotate your DSN (create a new one, deploy it, then revoke the old) and see if that gets rid of the noisy data.

That said, if your DSN is not exposed in the UI (e.g. for JS errors) then you likely want to treat this scenario as more of a real concern. There shouldn’t be a way to expose a Sentry DSN unless you yourself do it.

#5

It’s not publicly-exposed. Thanks for the response, I’ll proceed assuming that all my keys need to be rotated