Rollbar logging api key

security flutter rollbar
222

Rollbar uses two kinds of API keys: one to be used on backend servers, and the other is used in your Javascript browser client.

The backend token is never shared and should be kept secure. The client token can be (or is automatically) scoped to not allow any actions other than posting events.

The client token is visible using dev tools, even if you take steps to obfuscate it. If your token is abused, you can generate a new token and retire the old one. Your best strategy for token management is one that allows you to easily update it if needed. Rollbar also allows blocking by IP address, if you need to block a specific known offender.

Here's Rollbar's doc: https://help.rollbar.com/security/preventing-client-side-access-token-abuse

Share:
222
Scott Mackay
Author by

Scott Mackay

I write code, I work mainly in c# and web using things like MS MVC, WebAPI, Servicestack, jQuery, KnockoutJS, RavenDB, MS Sql or whatever else helps do the task. Always looking to learn new things and keep improving.

Updated on December 10, 2022

Comments

  • Scott Mackay
    Scott Mackay over 1 year

    So I have a flutter app that logs to Rollbar. The https requests require an API key (restricted to just being able to submit logs) which will be the same for all clients.

    Is it good practice to keep this key protected somehow or should it just be hard coded in the app?

    If it should be protected, what is the best strategy for handling this?

  • Scott Mackay
    Scott Mackay almost 5 years
    Thanks, this is much as I suspected.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to manage OAuth flow in mobile application with server
Are compile-time variables secure in flutter?
Why is it bad practice to use an FCM Server Key on a Flutter/Android client?
How to protect Flutter app from reverse engineering
GDPR and personal data
Securely Saving API Keys In Android (flutter) Apps
How can I prevent backup for user data in flutter for iOS app?
Flutter/Dart security scans
How to hide API Keys in AndroidManifest.xml
Where to store sensitive data inside flutter?