Menu
I am working on Angular Application and I want to add Azure Application Insights in my Angular SPA.
I have added all required configuration and Everything works perfectly fine.
Application Insights will logs all required details like PageView and custom events with the Help of InstrumentationKey.
But I have one doubt, that What will happen if ApplicationInsights InstrumentationKey gets stolen? InstrumentationKey is exposed to external world and anyone can see it.
So my question is, Is there any problem if somebody gets this key? what are replications if InstrumentationKey gets stolen and how can we avoid it?
I have gone through this article already - https://blogs.msdn.microsoft.com/premier_developer/2017/12/14/alternative-way-to-protect-your-application-insights-instrumentation-key-in-javascript/
609
By adjusting the configuration file, you can enable or disable Telemetry Modules and initializers, and set parameters for some of them. The configuration file is named ApplicationInsights. config or ApplicationInsights. xml , depending on the type of your application.
The extension method UseApplicationInsights() is still supported, but it's marked as obsolete in Application Insights SDK version 2.8. 0 and later. It will be removed in the next major version of the SDK.
The instrumentation key identifies the resource that you want to associate your telemetry data with. You will need to copy the instrumentation key and add it to your application's code.
Connection strings define where to send telemetry data. The key value pairs provide an easy way for users to define a prefix suffix combination for each Application Insights (AI) service/ product.
Application Insights instrumentation key can be used in both Server and client side. Using the instrumentation key in the server side is secured and no one can see it. The opposite happens on the client side “JavaScript” where the instrumentation key is exposed, and anyone could see the key whenever they use fiddler to trace the calls.
The key point is that each client gets a unique short-duration instrumentation key, that's all you can control, you can't control what happens to the keys once's they are off your servers.
It receives the resource group name and the AppInsights name via pipeline variable. The instrumentation key gets written to the third pipeline variable appInsights_instrumentationkey.
Regarding Microsoft’s documentation there is a PowerShell function to do this Called Get-AzureRmApplicationInsights. However this function did not return any value (and no error). appInsights_instrumentationkey receives the instrumentation key It receives the resource group name and the AppInsights name via pipeline variable.
As described in the blog,
Alternatively, the most secure way would be to send data from the browser to your custom API on your server then forward to Application Insights resource with the correct instrumentation key (see diagram below).
You should validate if the data makes sense in your custom API before sending it to the Application Insights instance.
Here are a couple of more threads on the same issue:
Application Insights security and spoofing
https://github.com/MicrosoftDocs/azure-docs/issues/24287
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
