elastic · vigneshshanmugam · Mar 21, 2024 · Mar 21, 2024
@@ -2,10 +2,12 @@
 [[synthetics-params-secrets]]
 = Work with params and secrets
 
-Params allow you to use dynamically defined values, including sensitive information, in your
-synthetic monitors. For example, you may want to test a production website with a particular
+Params allow you to use dynamically defined values in your synthetic monitors. 
+For example, you may want to test a production website with a particular
 demo account whose password is only known to the team managing the synthetic monitors.
 
+For more information about security-sensitive use cases, refer to the <<synthetics-secrets-sensitive, documentation about sensitive values>>.
+
 [discrete]
 [[synthetics-params-secrets-define]]
 = Define params
@@ -148,11 +150,16 @@ Your synthetics scripts may require the use of passwords or other sensitive secr
 
 [WARNING]
 ====
-Because synthetics scripts have no limitations, a malicious script author could write a
-synthetics journey that exfiltrates `params` and other data at runtime.
+Params are viewable in plain-text by administrators and other users with `all` privileges for
+the Synthetics app.
+Also note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
+synthetics journey that exfiltrates `params` and other data at runtime. 
 Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card)
 in *any* synthetics tools.
 Instead, set up limited demo accounts, or fake credit cards with limited functionality.
+If you want to limit access to parameters, ensure that users who are not supposed to access those values 
+do not have `all` privileges for the Synthetics app, and that any scripts that use those values 
+do not leak them in network requests or screenshots.
 ====
 
 If you are managing monitors with projects, you can use environment variables