I want to include sensitive (debug) information on the page in case of errors so that I can collect that information while checking the production app. It is easier to use than logs.
To make this secure I can:
- show the debug info only when a secret key is in cookies
- encrypt the information on the page and decrypt it using JavaScript in the browser (via extension or just JavaScript included on the page)
The second options looks a bit better as it:
- makes it possible to ask user to send us the encrypted data with description of the bug
- does not require https connection to be secure.
The disadvantage of this approach is that you can have some performance issues if you collect debugging data so maybe the best would be to use a combination of both approaches…
Actual questions:
- Do you know any library / browser extension that implements such feature?
- Do you know any better way of doing this?
- What do you think about the second idea?
The encryption solution would make you very vulnerable if the decryption key should be lost. You may change the key at regular intervals, but if an attacker gets your key then he still can use that to decrypt old stacktraces that he may have collected.
How about this approach? Store the stacktrace on the server with a unique id, i.e. in a database or on a file. Put the unique id on the web page with the error message and ask the end user to copy this id when he reports any errors. Create a web page with a form where you can enter the unique id and your own username and password. The web page shows you the stacktrace.