error.page docs

Security overview

Start simple, add protection as you grow — the layered path from public key to signed tokens.

error.page is designed to work the moment you paste the snippet — no security setup required to get started. But because your project's API key ships in the browser (it's public by design, like a Sentry DSN or a Google Analytics ID), you may want to add protection so nobody can send forged error reports using a copied key.

Security here is a ladder: start with nothing, add layers as your needs grow. Each is optional and independent, and you'll find every control under a project's Security panel.

The ladder

Layer Protects against Effort Where
Rate limits (always on) Volume floods from one origin None — automatic
Origin allowlist Casual & cross-site use of your key Paste your hosts Projects
Server-side secret key Anyone ingesting to your backend endpoints One header Projects
Signed ingest tokens A determined forger with your public key Server integration Hardened ingest

1. Rate limits — nothing to do

Every project is bounded by a per-project ceiling and a tighter per-IP cap, on every plan. A single origin can't flood you regardless of which key it holds. This is always on.

2. Origin allowlist — a good default

List the hosts your SDK legitimately runs on and browser ingest is accepted only from those. The Origin header is browser-enforced, so this stops casual copying and cross-site embedding. It won't stop a scripted client that spoofs the header — for that, keep climbing. Set it under Security → Browser origin allowlist.

3. Server-side secret key — for backend reporting

If you report errors from your own servers (not the browser), require a secret X-Secret-Key header. The secret never leaves your infrastructure, so only your backend can ingest. Enable it under Security → Server-side secret key.

4. Signed ingest tokens — best practice

The strongest option: your server mints a short-lived, signed token (a JWT) that the browser attaches to each report. error.page verifies the signature with a secret the browser never sees, so a forger without it can't produce a token we'll trust. You control the token lifetime and refresh cadence, and can require it strictly. This is the recommended posture for security-sensitive apps. See Hardened ingest for the full setup and copy-paste sample code in six languages.

Trust tiers

Once signed tokens are on, every incident is labelled by how it was authenticated — signed, verified (secret key), or unverified. Unverified reports are still visible but are kept out of your headline metrics, so forged traffic can't skew the numbers you act on.

Recommended posture

  • Just starting / internal tool: nothing — rate limits have you covered.
  • Public site with a browser SDK: add the origin allowlist.
  • Reporting from your backend: turn on the secret key.
  • Security-sensitive / high-value app: enable signed ingest tokens, then strict mode.