Forum Discussion
instrumentationkey
Hello everyone!
I don't know if this is a right place or a dumb question to ask but should instrumentationkey be public or private?
I don't know if this is a right place or a dumb question to ask but should instrumentationkey be public or private?
2 Replies
- Take a look at this: https://github.com/microsoft/ApplicationInsights-JS/issues/281 It's not really a security risk as the iKey itself doesn't provide any permissions of any kind. The only real "risk" is that if a bad actor grabs and reuses your iKey, which would cause your ingested events (data in Azure Monitor) to contain a mixture of you real user and this "extra" data. Depending on the amount of these events and how this data is constructed would determine what the real level of the risk is for your subscription (this would directly affect your application). Best efforts, would be to obfuscate or hide it if you can.
- Thank you for the reply! If you want to know why I had that question is that I'm trying with bug bounty and the first thing I found was that the website used some keys public and i wanted to know if i should report it to them.
