In the docs (link) Microsoft states (see image below) that "The connection string isn't considered a security token or key." that's why it can be added to web pages as a plain text. The doc also suggests to create a separate Application Insights instance just for user's side telemetry (Page views).
Anyone can use same connection string on another domain and flood my application insight instance with "spam" telemetry.
Are there any other ways to secure the connection string?
Yes, you're right the Application Insights connection string is not considered a secret token or key. So, it can be misused someone could send a fake or unwanted data to your telemetry.
To avoid this, create another Application Insights instance for client-side telemetry as mentioned in this MS DOC. It limits the exposure and impact of any spam coming from browsers.
Another method to avoid spam implement filtering and sampling in Application insights.
Telemetry Processors allow you to drop events based on custom logic, filter out telemetry by domain, IP, or user agent.
To know more about filtering refer this MS DOC.
Sampling, including fixed‑rate and adaptive, helps reduce telemetry volume and mitigate spam or burst traffic.
Refer this MS DOC.
Set up IP allowlists or deny rules through Azure Monitor.
Use telemetry processors to discard telemetry from unexpected sources.
Apply sampling to reduce telemetry volume and limit potential spam impact.
Use custom telemetry initializers in JavaScript to tag data with properties like domain
, user-agent
, or custom source id
, which you can later filter in Azure.
Set up Azure Monitor alerts to notify you of unusual traffic patterns.
Refer MS Documentation.