17

I am working on Angular Application and I want to add Azure Application Insights in my Angular SPA.

I have added all required configuration and Everything works perfectly fine.

Application Insights will logs all required details like PageView and custom events with the Help of InstrumentationKey.

But I have one doubt, that What will happen if ApplicationInsights InstrumentationKey gets stolen? InstrumentationKey is exposed to external world and anyone can see it.

So my question is, Is there any problem if somebody gets this key? what are replications if InstrumentationKey gets stolen and how can we avoid it?

I have gone through this article already - https://blogs.msdn.microsoft.com/premier_developer/2017/12/14/alternative-way-to-protect-your-application-insights-instrumentation-key-in-javascript/

JleruOHeP
  • 10,106
  • 3
  • 45
  • 71
sudarshan1933
  • 321
  • 4
  • 14
  • In that article mentions the way to protect your key, the worst case that could happen is someone uses it to damage your application or steal sensitive information – Paulo Galdo Sandoval Feb 05 '19 at 13:26
  • 7
    But Someone can intentionally use the Same key and will push lots of data which will get charged to one who owns that Application Insights. – sudarshan1933 Feb 05 '19 at 13:32
  • Any other comments? Please help!!! – sudarshan1933 Feb 06 '19 at 05:48
  • I know this issue is from a couple of years ago, but did you ever find a way to perhaps reset the instrumentation key? – Enrico Jan 12 '22 at 13:21
  • Delete and re-create the App Insights resource, @Enrico? You will lose the data (if it is a classic App Insights resource) and there will be an outage, though. A better way is to create a new App Insights resource, reconfigure the app to use the new one, and ultimately delete the old one. The loss of data can likely be prevented for workspace-based App Insights resources -- need to look into them somewhat more. – Palec Feb 08 '23 at 08:12
  • This kind of problem wouldn't happen if app insights provides a way to bind an instrumentation key to a set of predefined domains. Then, no one will be able to push irrelevant data from their apps, even if they have the key. – Pavindu Jul 26 '23 at 09:04

1 Answers1

6

As described in the blog,

Alternatively, the most secure way would be to send data from the browser to your custom API on your server then forward to Application Insights resource with the correct instrumentation key (see diagram below).

enter image description here

You should validate if the data makes sense in your custom API before sending it to the Application Insights instance.

Here are a couple of more threads on the same issue:

Application Insights security and spoofing

https://github.com/MicrosoftDocs/azure-docs/issues/24287

AmanGarg-MSFT
  • 1,123
  • 6
  • 10