Validate domain/origin #183
Replies: 9 comments
-
Yes, it's relatively easy to spoof traffic like this. Sending traffic stats to any
The Having a randomly generated tracking code for each site would improve this situation. Currently, seeing the Plausible is not unique in that sense. With any web analytics tool you can send spam traffic very easily. It's a problem for sure.
I like this idea. I'm planning to add a filter dropdown on the top of the dashboard. We could definitely include the request hostname in available filters and you could save |
Beta Was this translation helpful? Give feedback.
-
That sounds like a good trade-off of flexibility while also being able to ensure you're not using any non-production data. It seems similar to how tools like Stripe let you enable and view test data in their dashboard—but more flexible. 👍 |
Beta Was this translation helpful? Give feedback.
-
So, does this mean that I can use Plausible across a fleet of subdomains without having to register each one manually? It's taken me ages to configure Google Analytics for subdomains & even then it's not quite right - is this something that "just works" with Plausible? |
Beta Was this translation helpful? Give feedback.
-
If you want to see the stats on separate dashboards you still have to register each site separately. |
Beta Was this translation helpful? Give feedback.
-
@jdrydn as a note, for <script async defer data-domain="appcenter.elementary.io" src="https://stats.elementary.io/js/index.js"></script> <script async defer data-domain="blog.elementary.io" src="https://stats.elementary.io/js/index.js"></script> |
Beta Was this translation helpful? Give feedback.
-
Good example of what sort of workarounds exist in the wild because we don't support this feature: https://johnschmidt.de/blog/using-plausible-analytics-in-your-next-js-app See Avoiding Counts in Preview Deployments |
Beta Was this translation helpful? Give feedback.
-
Hey, thanks for the reference 😀 Maybe a sort of UUID for each site would benefit that cause? Then, the <script
async
defer
data-id="66d88b9e-036a-44cc-a6eb-a5827cc734e3"
src="https://stats.johnschmidt.cloud/js/plausible.js"
/> To tackle the multiple / custom origins issue: user-defined array of allowed hostnames in the back-end? As in |
Beta Was this translation helpful? Give feedback.
-
Fathom apparently offers an "allowed domains" feature now: https://twitter.com/usefathom/status/1456316988138172421. Seems like the right approach to me. |
Beta Was this translation helpful? Give feedback.
-
Update: This is now possible. See https://plausible.io/docs/subdomain-hostname-filter#allow-traffic-from-specific-hostnames-only |
Beta Was this translation helpful? Give feedback.
-
Right now, it seems it would be possible to spoof stats for any site using Plausible by simply including their domain in the
data-domain
field—I found this out when doing development, and stats were still showing up in our Dashboard. But theoretically, I could adddata-domain="plausible.io"
on my site, and wreck the analytics for plausible.io—right? Which would be… undesirable.If that's a desirable feature for some reason, then perhaps the dashboard could at least let you filter by verified/detected domain so we could filter out undesirable stats.
Update: This is now possible. See https://plausible.io/docs/subdomain-hostname-filter#allow-traffic-from-specific-hostnames-only
Beta Was this translation helpful? Give feedback.
All reactions