I am trying to get metrics with the Azure Application Insights Service for my Static Page built by Angular.
To add the code snippet for javascript of Application Insights to the application I need to set the Instrumentation Key (Connection String) in the "plan code", like:
<script type="text/javascript">
// ... rest of code
cfg: { // Application Insights Configuration
connectionString: "CONNECTION_STRING"
}});
</script>
I have e across the option to use the Application Insights plugin for Angular during development, but I believe the issue of exposing the Connection String would still persist.
Considering that the Connection String contains sensitive information, it seems problematic to have it accessible to the client. I would like to ensure the security of my key. How can I address this concern?
I am trying to get metrics with the Azure Application Insights Service for my Static Page built by Angular.
To add the code snippet for javascript of Application Insights to the application I need to set the Instrumentation Key (Connection String) in the "plan code", like:
<script type="text/javascript">
// ... rest of code
cfg: { // Application Insights Configuration
connectionString: "CONNECTION_STRING"
}});
</script>
I have e across the option to use the Application Insights plugin for Angular during development, but I believe the issue of exposing the Connection String would still persist.
Considering that the Connection String contains sensitive information, it seems problematic to have it accessible to the client. I would like to ensure the security of my key. How can I address this concern?
Share Improve this question asked May 16, 2023 at 15:10 ricklinkricklink 1292 silver badges11 bronze badges 1- 1 If you're reporting data from unauthenticated web page (i.e. client side) not much you can do. Instrumentation key is a resource identifier for ingestion and is not considered a secret. If you're reporting data from authenticated webpage - you can setup AAD auth. – ZakiMa Commented May 17, 2023 at 2:28
2 Answers
Reset to default 6The connection string (to be more precise: the instrumentation key therein) is not considered sensitive information. It is intended to be embedded in (public) website code. Worst case somebody could do is to flood your AppInsights instance with nonsense data. (But you anyway should have limits in place to protect you from unexpected high bills).
As Microsoft says here the other options might be hard to implement. So it depends how badly you want to protect it. on the other hand if you dont, some one can clutter your app insight page view for example, which not only makes it hard to see which one is legit and which one is from the hackers, but also it can significantly increase your app insight costs.
Here is a the quote from MS document
The connection string contains an ikey, which is a unique identifier used by the ingestion service to associate telemetry to a specific Application Insights resource. It's not considered a security token or key. If you want to protect your AI resource from misuse, the ingestion endpoint provides authenticated telemetry ingestion options based on Azure Active Directory (Azure AD).
The Application Insights JavaScript SDK requires the connection string to be passed in during initialization and configuration. It's viewable in plain text in client browsers. There's no easy way to use the Azure AD-based authentication for browser telemetry. We remend that you consider creating a separate Application Insights resource for browser telemetry if you need to secure the service telemetry.