What will happen if ApplicationInsights InstrumentationKey gets stolen?

Question

I am working on Angular Application and I want to add Azure Application Insights in my Angular SPA.

I have added all required configuration and Everything works perfectly fine.

Application Insights will logs all required details like PageView and custom events with the Help of InstrumentationKey.

But I have one doubt, that What will happen if ApplicationInsights InstrumentationKey gets stolen? InstrumentationKey is exposed to external world and anyone can see it.

So my question is, Is there any problem if somebody gets this key? what are replications if InstrumentationKey gets stolen and how can we avoid it?

I have gone through this article already - https://blogs.msdn.microsoft.com/premier_developer/2017/12/14/alternative-way-to-protect-your-application-insights-instrumentation-key-in-javascript/

In that article mentions the way to protect your key, the worst case that could happen is someone uses it to damage your application or steal sensitive information — Paulo Galdo Sandoval
But Someone can intentionally use the Same key and will push lots of data which will get charged to one who owns that Application Insights. — sudarshan1933

AmanGarg-MSFT AmanGarg-MSFT · Accepted Answer · 2019-02-06T19:15:02

As described in the blog,

Alternatively, the most secure way would be to send data from the browser to your custom API on your server then forward to Application Insights resource with the correct instrumentation key (see diagram below).

You should validate if the data makes sense in your custom API before sending it to the Application Insights instance.

Here are a couple of more threads on the same issue:

Application Insights security and spoofing

https://github.com/MicrosoftDocs/azure-docs/issues/24287

What will happen if ApplicationInsights InstrumentationKey gets stolen?

1 Answers