Securing Sentry installation by limiting publicly available endpoints

I haven’t found anything on this in official documentation, therefore the question.

Imagine if one would want to have a extremely secure self-hosted Sentry setup and would then want to only make create issue endpoints available to the outside world, keeping the rest of the Sentry endpoints functioning from within VPN only. Which endpoints would then have to be publicly accessible?

The only path that needs to be publicly accessible for event ingestion is ^/api/\d+/store/$ . Everything else can be blocked from public access. This endpoint is used to accept events only, with no read access, and is safe to expose.

Secure/hide the admin behind proxy/firewall?

1 Like

@jhermann: Thank you!