#general

Security Measures for Frontend Tracing in SigNoz

TLDR Marc raised concerns about the security of sending traces from the frontend to the backend. Ankit suggested security measures such as API_KEY, HTTPS, CSRF protection, and CORS handling. The discussion is ongoing about finding the best approach.

9mo

Join the chat

Mar 02, 2023 (9 months ago)

Photo of md5-4e1339a088cf20de25e66ff4aaf1a81d

Marc

06:20 PM

Hi there.
I’m wondering about security in sending traces from the frontend to the backend. Couldn’t anyone send traces to the backend to try and make a DDOS attack. Is the collector built with this in mind? Is there an approach to ensure only authorized applications can send trace, log and metrics to the collector?

Photo of md5-f936d3e5743d23344d6c60813189716f

vishal-signoz

06:23 PM

There’s already an issue open for this. You can follow it: https://github.com/SigNoz/signoz/issues/1254
cc: Ankit Will this be prioritized in upcoming weeks?

Marc

06:50 PM

Hi vishal-signoz
Thanks for the reply
I was think more about telemetry coming from web browsers. I think the article link in the issue https://medium.com/opentelemetry/securing-your-opentelemetry-collector-1a4f9fa5bd6f is for an OTel agent connecting to with the collector. I would expect that viable within a k8s cluster, but not so viable for web browsers

Photo of md5-dbe7088320fe1d922707613e02f3420d

Ankit

07:41 PM

Marc great that you brought that up. What security measures you think should be added to enable safe frontend to otel-collector communication? A few in mind are:
• Client Authorisation using API_KEY
• HTTPS
• CSRF protection
• CORS handling

07:42

Ankit

07:42 PM

Have you been able to enable distributed tracing of backend services with SigNoz and looking to add tracing from frontend too?

Marc

09:09 PM

I think those approaches to security are the best we can do. I have SigNoz working locally at this point, but I’m hoping for a good solution for avoid abuse before looking at deploying on the Internet.

09:10

Marc

09:10 PM

I wonder what happens thousands of erroneous traces get to the collector

Mar 03, 2023 (9 months ago)

Ankit

04:35 AM

I understand the concerns for adding tracing to browsers as they would be talking to publicly exposed collectors. I think we should be prioritising this and pick up very soon. Till then you can keep exploring SigNoz without exposing SigNoz to the internet 🙂

Photo of md5-ce04a9988e2fd758a659dc55be6f2543

Srikanth

05:11 AM

While these measures help, the rouge actors can still act bad. In case of API_KEY/SECRET_KEY they can visit your app and copy the values. I am not sure if there is truly attack free system possible if you want to make it accessible from the public internet.

Mar 04, 2023 (9 months ago)

Marc

09:44 PM

I’m thinking that one approach could be to buffer traces, logs, metrics in the browser until the user authenticates. I know that this would not be appropriate for some web apps, e.g. where user’s do not login, but in many cases it seems like a good approach. In scenarios where a user has a cookie already set it would not need to be buffered, but in reality a little buffering is likely a good thing.
There would need to be limits placed to avoid buffering too much data and either a rolling window of data to remove the oldest data as the buffer becomes full, or stop adding data after a certain point.

Mar 05, 2023 (9 months ago)

Ankit

07:34 AM

I think OpenTelemetry sdks already do have buffers to batch data and send but that is unrelated to auth atleast in their case

SigNoz Community

Built with ClickHouse as datastore, SigNoz is an open-source APM to help you find issues in your deployed applications & solve them quickly | Knowledge Base powered by Struct.AI

Indexed 1023 threads (61% resolved)

Join Our Community

Similar Threads

Troubleshooting Signoz Dashboard Not Showing Traces

prasanth encountered issues with Signoz dashboard not displaying traces. Srikanth recommended configuring the `OTEL_EXPORTER_OTLP_ENDPOINT`, but they are still facing issues with the exporter's connection.

9mo

Multi-Destination Export with OTEL Collector and SigNoz

Alex wants to export telemetry to multiple services. Srikanth suggests using OTEL collector to forward data to both SigNoz and DataDog.

9mo

Replacing Grafana Elastic and Prometheus Setup with SigNoz

Dipen is trying to replace the current setup with SigNoz. Both Nocnica and Srikanth provide possible solutions including using OpenTelemetry and target allocator respectively.

3mo

Troubleshooting SigNoz Auto-Instrumentation Configuration

igor is having trouble configuring auto-instrumentation for Java applications using SigNoz, with traces not appearing in the SigNoz UI. Prashant advises to check logs of the otel sidecar, use service name for endpoint, verify supported libraries, and test with telemetrygen. However, the issue still persists.

8mo

Parsing JSON Logs in Kubernetes for Different Applications

Nick sought advice on parsing JSON logs in Kubernetes for apps without OTEL support. nitya-signoz suggested using additional operators, creating pipelines, and mapping according to the business logic.

8mo