Application Insights security and spoofing

Question

This may be a silly question but is client side application insights safe from spoofing? Microsoft ask you to add a bit of JavaScript to your HTML page that needs recording and part of this contains a hard coded instrumentation key (not a real key below!):

instrumentationKey: "3D486E8C-BDEF-43AB-B27A-9D3F9D42EC14"

There doesn't seem to be any other relationship between Url and key or any mechanism to prevent spoofing of this key client side (i.e. randomly generating the key with different numbers and submitting the page).

This wouldn't cause any damage, but it would be annoying to the receiver of the incorrect monitoring data, which may well be all someone wants to do "because they can".

Have I missed something fundamental as to why this is not possible?

Alex Bulankou Alex Bulankou · Accepted Answer · 2015-01-20T06:45:51

This is absolutely correct that anyone can log misleading or garbage data to anyone’s AI account if they know the instrumentation key. This is also correct for most web other analytics systems: the request to log information is sent unauthenticated and anyone with sufficient skill can emulate a valid user data. The fact that AI has instrumentation key embedded on the page does not make it easier because anyone using web traffic monitor tool like Fiddler can still intercept and emulate the requests, even if instrumentation key was not embedded on the page. If you suspect that a malicious user will purposefully log misleading data using your AI key, you should use caution and validate if the data makes sense before making your business decisions, for example from how many users was the data obtained and over what period of time, and whether your client-side page view data matches the server-side requests data.

Application Insights security and spoofing

2 Answers