Hide Sensitive Data with Application Insights JavaScript SDK using a Telemetry Initializer

H

Application Insights is incredibly powerful, especially when using the JavaScript Client SDK.

The problem is, sometimes we can be logging a little too much.

In a recent post, I explained how I needed to log the number of breaches a breached password had appeared on, using the Have I Been Pwned API.
The trouble was, since I was doing all of this client side, the AJAX request was visible as a dependency of my custom event log.
The AJAX request contained information that allowed me (or anyone with access to Application Insights) to piece together the full password (hash) in some cases.

My paranoid mind didn’t like this.
I needed to obfuscate the irrelevant data in the GET request to that particular API.

All I really needed to do is stop the Ajax dependency call logging the hash prefix part of my query to the api.pwnedpasswords.com endpoint.

To solve this, I created a very simple telemetry initializer.
This function runs for each piece of telemetry recorded, and checks to see if the target is “api.pwnedpasswords.com
If it is, it simply replaces (for example) /range/e38ad with  /range/{SHA} whilst still recording that the call was made.

Adding this just after initialising the Application Insights SDK did the trick:

window.appInsights.queue.push(function () {
    appInsights.context.addTelemetryInitializer(function (envelope) {

        var telemetryItem = envelope.data.baseData;

        if (telemetryItem.target && telemetryItem.target === "api.pwnedpasswords.com") {
            if (telemetryItem.name) {
                telemetryItem.name = obfuscate(telemetryItem.name);
            }

            if (telemetryItem.data) {
                telemetryItem.data = obfuscate(telemetryItem.data);
            }
        }

        function obfuscate(input) {
            return input.substring(0, input.lastIndexOf("range") + 6) + '{SHA}';
        }
    });
});

Application Insights now receives this dependency call as /range/{RANGE} (as opposed to the actual hash prefix)