PR feedback

inventarSarah · inventarSarah · commit 3e0089556899 · 2025-05-28T10:12:41.000+02:00
diff --git a/docs/platforms/javascript/common/troubleshooting/index.mdx b/docs/platforms/javascript/common/troubleshooting/index.mdx
@@ -95,58 +95,61 @@ Most community CDNs properly set an `Access-Control-Allow-Origin` header.
 
 <PlatformSection supported={["javascript.sveltekit"]}>
 
-    <Expandable permalink title="Configure CSP for Client-side `fetch` Instrumentation">
+<Expandable permalink title="Configure CSP for Client-side `fetch` Instrumentation">
 
-        <Alert>
-            Only relevant for SvelteKit versions below `@sveltejs/kit@2.16.0`
-        </Alert>
-        If you're using a SvelteKit version older than `sveltejs/kit@2.16.0`, the Sentry SDK injects an inline `<script>` tag into the HTML response of the server.
-        This script proxies all client-side `fetch` calls so that `fetch` calls inside your `load` functions are captured by the SDK.
-        However, if you configured CSP rules to block inline fetch scripts by default, this script will be [blocked by the browser](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script).
+<Alert>
+    Only relevant for SvelteKit versions below `@sveltejs/kit@2.16.0`
+</Alert>
+If you're using a SvelteKit version older than `sveltejs/kit@2.16.0`, the Sentry SDK injects an inline `<script>` tag into the HTML response of the server.
+This script proxies all client-side `fetch` calls so that `fetch` calls inside your `load` functions are captured by the SDK.
+However, if you configured CSP rules to block inline fetch scripts by default, this script will be [blocked by the browser](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script).
 
-        You have multiple options to solve this CSP issue:
+You have multiple options to solve this CSP issue:
 
-        #### Option 1: Upgrade SvelteKit
+#### Option 1: Upgrade SvelteKit
 
-        The easiest option is to update `@sveltejs/kit` to at least version `2.16.0` (or newer). The SDK will not inject the fetch proxy script as it's no longer necessary.
+The easiest option is to update `@sveltejs/kit` to at least version `2.16.0` (or newer). The SDK will not inject the fetch proxy script as it's no longer necessary.
 
-        #### Option 2: Add Script Hash to CSP policy
+#### Option 2: Add Script Hash to CSP policy
 
-        To enable the script, add an exception for the `sentryHandle` script by adding the hash of the script to your CSP script source rules.
+To enable the script, add an exception for the `sentryHandle` script by adding the hash of the script to your CSP script source rules.
 
-        If your CSP is defined in `svelte.config.js`, you can add the hash to the `csp.directives.script-src` array:
+If your CSP is defined in `svelte.config.js`, you can add the hash to the `csp.directives.script-src` array:
 
-        ```javascript {filename:svelte.config.js} {5-7}
-        const config = {
-        kit: {
-            csp: {
-            directives: {
-                "script-src": ["sha256-y2WkUILyE4eycy7x+pC0z99aZjTZlWfVwgUAfNc1sY8="], // + rest of your values
-            },
-            },
-        },
-        };
-        ```
+```javascript {filename:svelte.config.js} {5-7}
+const config = {
+  kit: {
+    csp: {
+      directives: {
+        "script-src": ["sha256-y2WkUILyE4eycy7x+pC0z99aZjTZlWfVwgUAfNc1sY8="], // + rest of your values
+      },
+    },
+  },
+};
+```
 
-        For external CSP configurations, add the following hash to your `script-src` directive:
+For external CSP configurations, add the following hash to your `script-src` directive:
 
-        ```txt
-        'sha256-y2WkUILyE4eycy7x+pC0z99aZjTZlWfVwgUAfNc1sY8='
-        ```
-        <Alert>
-            We will not change this script any time soon, so the hash will stay consistent.
-        </Alert>
+```txt
+'sha256-y2WkUILyE4eycy7x+pC0z99aZjTZlWfVwgUAfNc1sY8='
+```
+
+<Alert>
+  We will not change this script any time soon, so the hash will stay
+  consistent.
+</Alert>
 
-        #### Option 3: Disable `fetch` Proxy Script
-        If you don't want to inject the script responsible for instrumenting client-side `fetch` calls, you can disable injection by passing `injectFetchProxyScript: false` to `sentryHandle`:
+#### Option 3: Disable `fetch` Proxy Script
 
-        ```javascript {filename:hooks.server.(js|ts)}
-        export const handle = sentryHandle({ injectFetchProxyScript: false });
-        ```
+If you don't want to inject the script responsible for instrumenting client-side `fetch` calls, you can disable injection by passing `injectFetchProxyScript: false` to `sentryHandle`:
 
-        Note that if you disable the `fetch` proxy script, the SDK will not be able to capture spans for `fetch` calls made by SvelteKit when your route has a server load function. This also means that potential spans created on the server for these `fetch` calls will not be connected to the client-side trace.
+```javascript {filename:hooks.server.(js|ts)}
+export const handle = sentryHandle({ injectFetchProxyScript: false });
+```
+
+Note that if you disable the `fetch` proxy script, the SDK will not be able to capture spans for `fetch` calls made by SvelteKit when your route has a server load function. This also means that potential spans created on the server for these `fetch` calls will not be connected to the client-side trace.
 
-    </Expandable>
+</Expandable>
 
 </PlatformSection>
 
diff --git a/platform-includes/sourcemaps/upload/primer/javascript.sveltekit.mdx b/platform-includes/sourcemaps/upload/primer/javascript.sveltekit.mdx
@@ -1,22 +1,27 @@
 ### Source Maps Upload
 
-By default, `sentrySvelteKit()` will add an instance of the Sentry Vite Plugin, to upload source maps for both server and client builds. This means that when you run a production build (`npm run build`), source maps will be generated and uploaded to Sentry so that you get readable stack traces in your Sentry issues.
+By default, the `sentrySvelteKit()` Vite plugin uploads source maps for both server and client builds. This means that when you run a production build (`npm run build`), source maps will be generated and uploaded to Sentry so that you get readable stack traces in your Sentry issues.
 
 However, you still need to specify your Sentry auth token as well as your org and project slugs.
 There are two ways to set them:
 
 **Option 1**
 
-You can set them as environment variables, for example, in a `.env` file:
+You can set all values as environment variables, for example, in a `.env` file:
 
-- `SENTRY_ORG` your Sentry org slug
-- `SENTRY_PROJECT` your Sentry project slug
-- `SENTRY_AUTH_TOKEN` your Sentry auth token (can be obtained from the [Organization Token Settings](https://sentry.io/orgredirect/organizations/:orgslug/settings/auth-tokens/))
-- `SENTRY_URL` your Sentry instance URL. This is only required if you use your own Sentry instance (as opposed to `https://sentry.io`).
+```bash {filename: .env}
+# DO NOT commit this file to your repo. The auth token is a secret.
+SENTRY_AUTH_TOKEN=___ORG_AUTH_TOKEN___
+SENTRY_ORG=___ORG_SLUG___
+SENTRY_PROJECT=___PROJECT_SLUG___
+# SENTRY_URL is only necessary if you're using a self-hosted Sentry
+# instance (as opposed to `https://sentry.io`)
+SENTRY_URL="https://your-sentry-instance.com"
+```
 
-**Option 2:**
+**Option 2**
 
-You can also set them by passing a `sourceMapsUploadOptions` object to `sentrySvelteKit`, as seen in the example below. For a full list of available options, see the [Sentry Vite Plugin documentation](https://www.npmjs.com/package/@sentry/vite-plugin#options).
+You can also set your org and project slugs by passing a `sourceMapsUploadOptions` object to `sentrySvelteKit`, as seen in the example below. For a full list of available options, see the [Sentry Vite Plugin documentation](https://www.npmjs.com/package/@sentry/vite-plugin#options).
 
 <OrgAuthTokenNote />
 
@@ -30,7 +35,7 @@ export default {
       sourceMapsUploadOptions: {
         org: "___ORG_SLUG___",
         project: "___PROJECT_SLUG___",
-        authToken: "___ORG_AUTH_TOKEN___",
+        authToken: "process.env.SENTRY_AUTH_TOKEN",
         // If you're self-hosting Sentry, also add your instance URL:
         // url: "https://your-self-hosted-sentry.com/",
       },
@@ -41,6 +46,10 @@ export default {
 };
 ```
 
+<Alert level="warning" title="Important">
+  To keep your auth token secure, always store it in an environment variable
+  instead of directly in your files.
+</Alert>
 ### Override SvelteKit Adapter Detection
 
 By default, `sentrySvelteKit` will try to detect your SvelteKit adapter to configure the source maps upload correctly. If you're not using one of the [supported adapters](/platforms/javascript/guides/sveltekit) or the wrong one is detected, you can override the adapter detection by passing the `adapter` option to `sentrySvelteKit`:
