-2

I'm looking at Segment's documentation right now and they have something called a "write key" that you include in your client-side JavaScript in order to send analytics data to the backend. If I include Segment in my website, what stops one of my customers from copying my write key and sending spoofed "analytics" data to my backend? If nothing is stopping them from doing this, then what can I do on the server to detect such bad behavior?

I'm trying to understand what server-side controls I may need to implement in order to prevent bad actors from sending bad telemetry to my service.

asked Sep 16, 2021 at 23:07
1
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. Commented Sep 17, 2021 at 2:04

1 Answer 1

3

The short answer is they don't. As you noted, any "key" that is exposed to the client is public and nothing prevents other people from copying/misusing that key. The slightly longer answer is that it is possible to employ server-side techniques to detect and discard spoofed data. For example, if a single IP address is spamming the server with tons of requests, it is likely that it's not coming from a real user. These days, there are more advanced machine learning systems that can detect a variety of attacks. So while you can't prevent clients from sending spoofed data, you (or Segment in this case) can and should detect this on the server side.

answered Sep 17, 2021 at 1:26

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.