diff --git a/docs/en/observability/synthetics-params-secrets.asciidoc b/docs/en/observability/synthetics-params-secrets.asciidoc index 04acdcdd3a..4648470ed0 100644 --- a/docs/en/observability/synthetics-params-secrets.asciidoc +++ b/docs/en/observability/synthetics-params-secrets.asciidoc @@ -2,10 +2,12 @@ [[synthetics-params-secrets]] = Work with params and secrets -Params allow you to use dynamically defined values, including sensitive information, in your +Params allow you to use dynamically defined values, in your synthetic monitors. For example, you may want to test a production website with a particular demo account whose password is only known to the team managing the synthetic monitors. +Please read the <>for more information on security-sensitive use cases. + [discrete] [[synthetics-params-secrets-define]] = Define params @@ -148,11 +150,15 @@ Your synthetics scripts may require the use of passwords or other sensitive secr [WARNING] ==== -Because synthetics scripts have no limitations, a malicious script author could write a -synthetics journey that exfiltrates `params` and other data at runtime. +Please note that params are viewable in plain-text by administrators and other users with "all" privileges for +the synthetics app. +Additionally, note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a +synthetics journey that exfiltrates `params` and other data at runtime. Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card) in *any* synthetics tools. Instead, set up limited demo accounts, or fake credit cards with limited functionality. +If you want to limit access to parameters ensure that that users who are not supposed to access those values do not have "all" privileges +for the Synthetics app, and that any scripts that use those values do not leak them in network requests or screenshots. ==== If you are managing monitors with projects, you can use environment variables