Ctrlk
Contact SupportProduct

Frontend - Prevent Token Exposure in Instrumented Applications

Problem

If your application is deployed in environments that are accessible outside your organization or to users who should not have access to sensitive credentials, exposing a Sealights token in the frontend code can increase the risk of misuse. To reduce token exposure, you need a secure way to instrument browser-based applications without embedding tokens in client-side JavaScript.

Solution

Enable tokenless instrumentation to remove the token from the browser configuration and route all browser agent traffic through a Sealights HTTP Collector installed in a secure internal network or a controlled access zone (such as a DMZ). The Collector acts as a secure proxy, mediating requests to Sealights and ensuring tokens remain protected.

In this mode, the Collector communicates with the Sealights backend and adds its own token to requests. The browser agent never handles or exposes any token.

This approach reduces token exposure and ensures sanitized instrumentation in external environments.

TL;DR

  • Use --excludeTokenFromBrowserConfig during instrumentation to enable tokenless mode.

  • Configure the browser agent to communicate only with your Collector (collectorUrl).

  • On the Collector, set disableTokenValidation=true to allow tokenless requests.

Configuration

1

Configure the HTTPS Collector

For setup instructions and configuration details, refer to the dedicated Sealights HTTP Collector Documentation

  • Ensure the Collector is running and accessible via HTTPS.

  • Configure it to:

    • Cache and serve the browser agent bundle.

    • Forward API calls to the Sealights backend.

    • Disable token validation for browser traffic by setting its option disableTokenValidation to true

2

Enable Tokenless Mode in Instrumentation

You can enable tokenless mode via environment variables or CLI flags in the slnodejs instrumentation step

SL_ExcludeTokenFromBrowserConfig=true
SL_collectorUrl=<YOUR_COLLECTOR_BASE_URL>

When properly configured, you'll see:

  • In the Cockpit Live Agents page, a collector entry

  • In the Browser Developer Console, the instrumented code without any token.

PreviousCSP Errors in instrumented JS Frontend AppsNextUnderstanding the `--` (Double Dash) Separator in `slnodejs run` Commands

Last updated

Was this helpful?