Envelope should send "dsn" in header

Question

Envelope should send "dsn" in header

Closed this issue a month ago · 4 comments

Problem Statement

I want to send the sentry data to a proxy server first for inspection. And to check if the request is valid and currently wanted.
See #4047 for the solution there.

I am missing a key piece to "surely" identify a request and that is the "dsn" in the envelope header.
According to https://develop.sentry.dev/sdk/envelopes/#envelope-headers it is recommended, however it seems like this SDK does not send it in the given request.

I am open to other suggestion how to make sure that "this request" is "mine".

Solution Brainstorm

Add "dsn" which is configured in the SDK in the enveloper header.

Are you willing to submit a PR?

No (Lack of knowledge)

Answer 1 · 2024-06-14T14:35:25.000Z

Hello @pquerner thanks for reaching out.
Are you talking about the HTTP request header? Or do you really want the DSN in the envelope header (a specific data inside the envelope binary) mentioned in the docs link you shared?

The Sentry API has no use for the DSN in the request header, and technically there is no way for you to know, just by the request itself, whether the request is really yours. Any ill-intended app could copy your DSN and put it in the request. However, I don't see a reason anyone would do this because once you forward the envelope to your DSN on the server side, only you can see it at Sentry.io.

Answer 2 · 2024-06-14T14:38:08.000Z

Hello,

its true that its more "obscurity". However, its still one more thing a ill-intended app has to go through.

Answer 3 · 2024-06-17T06:58:18.000Z

I don't think the SDK can benefit from it. You can easily achieve this in your own code like the following:

override class func canonicalRequest(for request: URLRequest) -> URLRequest {
        guard let newUrl = URL(string: "https://redirectUrl.com/forwardSentry") else { return request }
        var newRequest = URLRequest(url: newUrl)
        newRequest.httpBody = request.httpBody
        newRequest.httpBodyStream = request.httpBodyStream
        newRequest.httpMethod = request.httpMethod
        newRequest.allHTTPHeaderFields = request.allHTTPHeaderFields
        newRequest.addValue("dsn", forHTTPHeaderField: "x-sentry-dsn")
        return newRequest
    }

Answer 4 · 2024-06-17T10:05:12.000Z

I see. We'll I have to go this route then.
Thanks. :)

Although I still think when the docs recommend it, its own provided SDK should honor that - or atleast make it optional.
But because "tunneling" is "not per se" documented, its sort-of fine because its such a niche detail.