Alternative way to protect your Application Insights “Instrumentation Key” in JavaScript

Pam Lahoud

This post on Application Insights and protecting your instrumentation key comes to us from Premier Developer consultant Adel Ghabboun.

Application Insights instrumentation key can be used in both Server and client side. Using the instrumentation key in the server side is secured and no one can see it. The opposite happens on the client side “JavaScript” where the instrumentation key is exposed, and anyone could see the key whenever they use fiddler to trace the calls. Knowing that, the instrumentation key doesn’t allow anyone to read anything from anywhere, it can only be used to write data to a resource.

Currently, there is no way to protect an instrumentation key in JavaScript. Every JavaScript based analytics tool has this issue so anything you do to protect it in the browser would be visible at debug time in the browser anyway.

At this point the risk is minimal since the most that could happen is unwanted data gets sent to your Application Insights resource, but to recognize whether the incoming data is real or not, you can enrich the data with properties that can be included in the queries and proves it is real.

Alternatively, the most secure way would be to send data from the browser to your custom API on your server then forward to Application Insights resource with the correct instrumentation key (see diagram below).