#SelfHosted vs SaaS

7 messages · Page 1 of 1 (latest)

sleek pivot
#

When i am using sentry SaaS dsn key , it correctly logs all the errors on android , but when using self hosted dsn key thelogs ar egetting failed probably 403 or csrf related issue
Do i need to change anything on client android sdk for self hosted or Need to change anything on config side of hosted sentry

Main Sentry Issues:

  1. CSRF Verification Failed (HTTP 403)
    The primary issue is that Sentry requests are failing with a 403 Forbidden error due to CSRF (Cross-Site Request Forgery) verification failure. The logs show:

Request failed, API returned 403
The transport failed to send the envelope with response code 403

  1. Missing Referer Header
    The HTML error response indicates that Sentry requires a 'Referer header' to be sent by the client, but none was provided. This is a security requirement to prevent CSRF attacks.
  2. Envelope Submission Failure
    As a result of the 403 error, Sentry envelopes (which contain error reports, session replays, etc.) are failing to be sent to the server and are being stored offline instead:

Envelope submission failed
Adding Envelope to offline storage

civic hawkBOT
#

Hi @sleek pivot. I'm happy to dig into this for you! I'll check my internal sources for answers to your question! :wave:

#

Based on the knowledge sources, the issues you’re experiencing with self-hosted Sentry (CSRF 403 errors, missing Referer header, and envelope submission failures) are not caused by the Android SDK or client-side configuration. Instead, they are almost always related to the configuration of your self-hosted Sentry instance, especially after recent updates that introduced stricter CSRF checks in Django 4+.

Key Points:

1. No Android SDK Changes Needed

There is no indication in the knowledge sources that you need to change anything in the Android SDK or how you send events when switching from SaaS to self-hosted Sentry. The SDK should work the same way for both, provided your self-hosted instance is configured correctly for public ingestion endpoints.

2. CSRF and Referer Issues Are Server-Side

The 403 CSRF errors and missing Referer header problems are due to how your self-hosted Sentry is set up, not the client. These issues are common after upgrading to newer Sentry versions that use Django 4, which enforces stricter CSRF and origin checks. The main configuration you need to review is CSRF_TRUSTED_ORIGINS in your sentry.conf.py file.

  • You must include the full schema (http/https) and domain in CSRF_TRUSTED_ORIGINS. For example:

    CSRF_TRUSTED_ORIGINS = [
    "<https://sentry.yourdomain.com",>
    "<http://sentry.yourdomain.com">
]

    Wildcards or missing schemas will not work reliably with Django 4+ [source].

  • If you have multiple environments or domains, you may need to add each one explicitly.

  • After changing sentry.conf.py, you must re-run ./install.sh and restart your containers for changes to take effect [source].

#

3. Reverse Proxy and Ingestion Endpoint

Make sure your reverse proxy (nginx, Caddy, etc.) is routing envelope requests to the relay container, not directly to the web container. The correct flow is:

proxy (e.g., nginx) → relay → web

If envelopes are sent directly to the web container, you will get CSRF errors [source].

4. SSL/TLS and Cookie Settings

If you terminate SSL at a proxy and Sentry itself is running on HTTP, ensure that CSRF_COOKIE_SECURE is set appropriately (usually False if Sentry is not directly serving HTTPS) [source].

5. No Need for Auth Tokens for Event Ingestion

You do not need to set up any additional auth tokens for event ingestion; the DSN is sufficient [source].

Summary of Actions:

  • Update CSRF_TRUSTED_ORIGINS in sentry.conf.py to include your full domain(s) with schema.
  • Ensure your reverse proxy routes envelope requests to the relay container.
  • Re-run ./install.sh and restart Sentry after config changes.
  • No changes are needed on the Android SDK/client side.

If you follow these steps, your self-hosted Sentry should accept events from your Android app just like SaaS does [source] [source].

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:

#

@sleek pivot Our robots are still learning and improving, please let us know if this response was correct by reacting below.

civic hawkBOT
#

Let me check the knowledge base for you again. One moment! :books:

#

No, you do not need to change anything in the client SDK to address the error about the missing 'Referer header'. This issue is caused by the configuration of your self-hosted Sentry instance, not by the client SDK.

The knowledge sources confirm that the 'Referer header' requirement and related CSRF errors are enforced by the server (Django/Sentry), and the solution is to adjust your server configuration—specifically, the CSRF_TRUSTED_ORIGINS setting and your reverse proxy setup—not the client SDK. The client (including Android and browser SDKs) does not control the Referer header in a way that would resolve this error for Sentry event ingestion. The server must be configured to accept requests from your application's domain(s) [ShowReportDialog - Referer is not sent (403 FORBIDDEN)] [Self-Hosted Sentry: Event submission rejected by django CSRF].

Summary:
You do not need to change anything in the client SDK. The fix is on the Sentry server side.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: