Secure OpenReplay

If you’re bringing your own certificate, create an SSL secret using the following command: kubectl create secret tls openreplay-ssl -n app --key="private_key_file.pem" --cert="certificate.crt".

Note: If you don’t have a certificate, generate one, that auto-renews, for your subdomain (the one provided during installation) using Let’s Encrypt. Simply connect to OpenReplay instance, run cd openreplay/scripts/helmcharts && bash and follow the steps.

If you wish to enable http to https redirection (recommended), then uncomment the below block, under the ingress-nginx section, in openreplay/scripts/helmcharts/vars.yaml:

ingress-nginx: &ingress-nginx
      ssl-redirect: true
      force-ssl-redirect: true

Note: Our ingress-nginx runs by default on ports 80|443, but this can be easily changed, if needed, in vars.yaml:

ingress-nginx: &ingress-nginx
        http: 80
        https: 443

Finally reinstall NGINX:

cd openreplay/scripts/helmcharts && ./openreplay-cli -I

OpenReplay supports reCaptcha (v2) for additional security. To enable this protection:

  1. Open openreplay/scripts/helmcharts/vars.yaml then uncomment and update the below env variables in chalice section:
  1. Edit env.js in openreplay/frontend/ and substitute the CAPTCHA_SITE_KEY variable with your reCaptcha site key.
  2. Rebuild the frontend:
cd openreplay/frontend
IMAGE_TAG=my-custom-image PUSH_IMAGE=1 DOCKER_REPO=my-docker-user-name bash -x
  1. Open openreplay/scripts/helmcharts/vars.yaml and specify your newly built frontend image in the frontend block:
    repository: "my-docker-username/frontend"
    tag: "my-custom-image"
  1. Restart the frontend and web server services for the changes to take effect:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I

Here is an example of a policy (CSP) for allowing OpenReplay to record sessions. This has to be adapted depending on your domain and security requirements:

worker-src ‘self’ blob: https://*; script-src ‘self’ https://*;

To apply your CSP to NGINX, connect to your OpenReplay instance and follow the below steps:

  1. Open openreplay/scripts/helmcharts/vars.yaml and add your CSP in the frontend block. Make sure to update
    cspSnippet: |
      add_header Content-Security-Policy "worker-src 'self' blob: https://*; script-src 'self' https://*;";

Note: Make sure to replace occurences in the above CSP with your OpenReplay domain name. The value should be the same as DOMAIN_NAME in openreplay/scripts/helmcharts/vars.yaml file.

  1. Reinstall NGINX to apply your newly added CSP:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I

Cross-domain requests are allowed, by default, from all origins (Access-Control-Allow-Origin: *). If you wish to restrict recordings from few domains only, then open openreplay/scripts/helmcharts/vars.yaml and update the http block as below:

    annotations: "true" ","

Then, reinstall NGINX:

cd openreplay/scripts/helmcharts && ./openreplay-cli -I