search
Contact SupportProduct

Frontend - Prevent Token Exposure in Instrumented Applications

hashtag
Problem

If your application is deployed in environments that are accessible outside your organization or to users who should not have access to sensitive credentials, exposing a Sealights token in the frontend code can increase the risk of misuse. To reduce token exposure, you need a secure way to instrument browser-based applications without embedding tokens in client-side JavaScript.

hashtag
Solution

Enable tokenless instrumentation to remove the token from the browser configuration and route all browser agent traffic through a Sealights HTTP Collector installed in a secure internal network or a controlled access zone (such as a DMZ). The Collector acts as a secure proxy, mediating requests to Sealights and ensuring tokens remain protected.

In this mode, the Collector communicates with the Sealights backend and adds its own token to requests. The browser agent never handles or exposes any token.

This approach reduces token exposure and ensures sanitized instrumentation in external environments.

hashtag
TL;DR

  • Use --excludeTokenFromBrowserConfig during instrumentation to enable tokenless mode.

  • Configure the browser agent to communicate only with your Collector (collectorUrl).

  • On the Collector, set disableTokenValidation=true to allow tokenless requests.

hashtag
Configuration

1

hashtag
Configure the HTTPS Collector

circle-info

For setup instructionsarrow-up-right and configuration detailsarrow-up-right, refer to the dedicated Sealights HTTP Collector Documentationarrow-up-right

  • Ensure the Collector is running and accessible via HTTPS.

  • Configure it to:

    • Cache and serve the browser agent bundle.

    • Forward API calls to the Sealights backend.

    • Disable token validation for browser traffic by setting its option disableTokenValidation to true

2

hashtag
Enable Tokenless Mode in Instrumentation

You can enable tokenless mode via environment variables or CLI flags in the slnodejs instrumentation step

SL_ExcludeTokenFromBrowserConfig=true
SL_collectorUrl=<YOUR_COLLECTOR_BASE_URL>
circle-check

When properly configured, you'll see:

  • In the Cockpit Live Agents page, a collector entry

  • In the Browser Developer Console, the instrumented code without any token.

PreviousCSP Errors in instrumented JS Frontend AppsNextUnderstanding the `--` (Double Dash) Separator in `slnodejs run` Commands

Last updated

Was this helpful?