Hacker News new | comments | show | ask | jobs | submit login
Ask HN: How to prevent spamming on JavaScript frontend logging API?
6 points by chengyinliu 1722 days ago | hide | past | web | 6 comments | favorite
Hello HN,

We are design an analytics logging API for our JS application. What bothers us is spamming prevention. I can't come up with a better way than rate limiting to prevent someone else use a fake client and spam the API. Is there something I missed here? What are some best practices on this? What do generic services, say Google Analytics, solve the problem?

Thank you.

I often have the same concern. What I ended up doing was issuing a token to each user, and verifying the token on the logging endpoint. That way, if someone decided to fill the logs with spam, we can easily delete all the events from that token. From what I've seen, major analytics services seem to do nothing at all to prevent a client from pretending to be any user, so this kind of abuse is probably rare enough that it shouldn't be a big concern. Some basic rate limiting is always a good idea, though.

But what is preventing a spammer who has made up his mind to reverse engineer your analytics code from faking the tokens? If its only about filtering, wouldn't it be easier and more effective to do them via ip-addresses?

>so this kind of abuse is probably rare enough that it shouldn't be a big concern

Yes I would agree too that its pretty rare since webmasters are more cautious around fishy looking sites. However, there were 2-3 instances I noticed someone spammed a referral into my Google Analytics data.

The tokens are cryptographically signed with a shared secret between the main server and analytics server. So an attacker can't forge another user's token. IP addresses would be a good solution also, especially if you need to track anonymous users.

Ahh I see, thats a good trick, the use of cryptographic signatures din't crossed my mind.

Thank you for sharing your solution.

I think per user token is good since we have captcha on registration. But we also want to something on non-logged-in pages/users. What can we do?

Also, if we connect the data point to a certain token, does that count as non-anonymously tracking user?

For anonymous users, generate a random token and store it in a cookie. Or you can use the IP address as nivla suggested.

Yes, at with these techniques you're tracking users across requests. But that's the point of this kind of analytics, isn't it?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact