Api key is public #595
Comments
|
How would you even intend for this to be implemented without the key being accessible to the user? |
|
Just to reassure you that the API key can only be used to send error reports / source maps to your Bugsnag account. The data then comes into your Bugsnag dashboard, which no unauthorized users can read. In the event that someone got a hold of your API key, they would not be able to compromise your data. They would in theory be able to send fake reports / source maps to your dashboard but we've not generally seen issues with such misuse of an API key. The impact to you would be low and it would be of no real benefit to an attacker. We are considering whether we could support different authentication methods for uploading source maps and notifying releases in the future. With error reports for Javascript projects, you're also able to activate domain whitelisting under your project settings to prevent error reports being stored by Bugsnag if they're a result of someone downloading your JS and running it locally / on a different site. |
|
hi , <script>window.bugsnagClient = bugsnag('API_KEY')</script> |
|
Hi @Huntinex, As per @mattdyoung's comment above, the API key is a write-only public key and cannot be used to access any data. A malicious actor could potentially send fake error reports, sessions or source maps to your Dashboard but this would not be of any real benefit to an attacker. We also support configuring allowed domains for browser JS projects, so that you can reject errors and sessions that do not originate from your chosen domain(s): https://docs.bugsnag.com/platforms/javascript/angular/faq/#how-can-i-reject-errors-that-don-39-t-originate-from-my-domain |
Crashes will now be collected with an optional comment, and uploaded on next launch of the app. Signed-off-by: Christopher Snowhill <kode54@gmail.com>
Hi, if running bugsnag on the client, the docs tell me to put the api key in client-side code:
Since the api key is public, I was wondering, what's the worst that could happen? I guess someone could use my key to spam my bugsnag dashboard with bogus events. I'm okay with that, but I wanted to make sure that this key isn't use for any authentication purposes or for retrieving data.
However, in this issue: bugsnag/bugsnag-react-native#112
The OP is saying this public api key can be used to manipulate sourcemaps as part of an elaborate attack. That issue is still open, so I'm concerned about using bugsnag in client-side code.
The text was updated successfully, but these errors were encountered: