Open 72gm opened 1 year ago
MSNev
commented
1 year ago The iKey is not secure, and you don't even have to go the extreme of seeing the payload in the Network tab, as part of initializing the SDK your Javascript code or the initial page will and MUST include it.
There is a nice long thread on this here https://github.com/microsoft/ApplicationInsights-JS/issues/281, but the short answer is that there is no way to secure this value and it is not considered to be a secret.
bandersen22000
commented
1 year ago @MSNev just be clear you won´t support Azure AD authentication for Application Insights where you add the login credentials to the appInsights.defaultClient as described here in the future: https://learn.microsoft.com/en-us/azure/azure-monitor/app/azure-ad-authentication?tabs=nodejs#ingestion-http-errors
Or is this only related to backend clients ?
MSNev
commented
1 year ago Correct, we currently have no active plans to implement this from the client side, and yes this is currently designed for "server" (backend) systems ingestion where the keys can be more tightly controlled.
While conceptually it would seem that having "user" AAD credentials passed down would work there would be no way to send any telemetry "until" the user has authenticated, or to securely have any "standard" authentication available from the clients.
Hi,
On testing this I noticed the following:
From the Network tab it calls https://dc.services.visualstudio.com/v2/track with the instrumentation key in the payload
Which means I can steal these two bits of information and use Postman to directly insert stuff in our insights database..
Which I did
Expected behavior I'd expect that you could lock this down in DevOps with something like a setting to restrict which domains the info came from?
Otherwise someone could skew your analytics/bombard your analytics DB!?
Can you advise?