I’m just getting started with Sentry. It struck me as odd that all the SDK needs to send a message to the Sentry server is the DSN, and at the same time you should embed that DSN into the javascript bundle that is served to the client.
Doesn’t that mean anyone can extract your DSN and then spam your Sentry project? Is spam a problem for anyone? Or is there something I’m missing?
I’m just being curious, I haven’t actually experienced any problems.
Doesn’t that mean anyone can extract your DSN and then spam your Sentry project?
That’s pretty much the state of the art and there is no way to automatically prevent it. We haven’t heard of a practical issue with this. The much bigger spam-related problem people usually have are legitimate crashes that contain no information or that nobody cares about (“your app crashes a lot on Windows XP, here are 6k events”)
We allow you to filter events, e.g. ban IP addresses or certain app releases from sending events, but that’s primarily meant for buggy deployments of your own app, not because somebody maliciously used your DSN.
It is the same situation as with any other application identifying auth tokens. For example you can also extract oauth credentials from an official Twitter app and use them to access the Twitter API (which allows you to get much better rate limits and to pretend to be sending tweets from the official app)
Yeah I don’t have a solution to propose here, I was just a little confused because I wasn’t sure if I should treat the DSN as a secret or not. Especially since it contains a key, which usually means it’s something one should keep secret, because why else have a key in the DSN?
Anyway, I’ve been acquainting myself more with Sentry now and I gotta say it’s pretty sweet.