sentry-security-basics

# Sentry Security Basics ## Overview Configure Sentry's security posture: PII scrubbing with `beforeSend`, built-in data scrubbing, IP anonymization, browser SDK URL filtering, DSN vs auth token handling, CSP reporting, and GDPR data deletion. Covers both client-side (SDK) and server-side (dashboard) controls. ## Prerequisites - Sentry project created with Owner or Admin role - `@sentry/node` >= 8.x or `@sentry/browser` >= 8.x installed (or `sentry-sdk` >= 2.x for Python) - Compliance requirements identified (GDPR, SOC 2, HIPAA, CCPA) - List of sensitive data patterns for your domain (PII fields, API keys, tokens) ## Instructions ### Step 1 — Understand DSN vs Auth Token Security The DSN (Data Source Name) is a **client-facing identifier** — it tells the SDK where to send events. It is NOT a secret. ``` https://<public-key>@o<org-id>.ingest.us.sentry.io/<project-id> ``` - The DSN **cannot** read data, delete events, or modify settings - It is safe to ship in client-side JavaScript bundles - Restrict abuse via **Allowed Domains** (Project Settings > Client Keys > Configure) Auth tokens **ARE secrets** — they grant API access to read/write/delete data: ```bash # NEVER commit auth tokens — store in CI secrets or vault # GitHub Actions: Settings > Secrets > SENTRY_AUTH_TOKEN # GitLab CI: Settings > CI/CD > Variables (protected + masked) # Generate tokens with MINIMAL scopes: # CI releases: project:releases, org:read # Issue triage: project:read, event:read # ...