Validate domain/origin

[cassidyjames]

Right now, it seems it would be possible to spoof stats for any site using Plausible by simply including their domain in the data-domain field—I found this out when doing development, and stats were still showing up in our Dashboard. But theoretically, I could add data-domain="plausible.io" on my site, and wreck the analytics for plausible.io—right? Which would be… undesirable.

If that's a desirable feature for some reason, then perhaps the dashboard could at least let you filter by verified/detected domain so we could filter out undesirable stats.

Update: This is now possible. See https://plausible.io/docs/subdomain-hostname-filter#allow-traffic-from-specific-hostnames-only

[ukutaht]

But theoretically, I could add data-domain="plausible.io" on my site, and wreck the analytics for plausible.io—right?

Yes, it's relatively easy to spoof traffic like this.

Sending traffic stats to any data-domain regardless of what hostname the script is running on is in fact desirable. There were requests to

1. test the integration on a dev url
2. send traffic from multiple hostnames into one dashboard.
3. send traffic from one hostname to multiple separate dashboards

The data-domain attribute provides this flexibility much like the GA tracking code.

Having a randomly generated tracking code for each site would improve this situation. Currently, seeing the data-domain attribute makes it so plain that you can just enter any domain and see what happens. If it was data-site="9763489162" instead, you would have to check the website you want to spoof traffic for and grab their random ID. A small extra step but it might stop some people.

Plausible is not unique in that sense. With any web analytics tool you can send spam traffic very easily. It's a problem for sure.

then perhaps the dashboard could at least let you filter by verified/detected domain so we could filter out undesirable stats.

I like this idea. I'm planning to add a filter dropdown on the top of the dashboard. We could definitely include the request hostname in available filters and you could save hostname=mywebsite.com as the default filter. What do you think?

[cassidyjames]

That sounds like a good trade-off of flexibility while also being able to ensure you're not using any non-production data. It seems similar to how tools like Stripe let you enable and view test data in their dashboard—but more flexible. 👍

[jdrydn]

So, does this mean that I can use Plausible across a fleet of subdomains without having to register each one manually? It's taken me ages to configure Google Analytics for subdomains & even then it's not quite right - is this something that "just works" with Plausible?

[ukutaht]

So, does this mean that I can use Plausible across a fleet of subdomains without having to register each one manually?

If you want to see the stats on separate dashboards you still have to register each site separately.

[cassidyjames]

@jdrydn as a note, for elementary.io we have the main domain setup with a custom stats.elementary.io subdomain proxy in its dashboard, and then we set up separate dashboards for subdomains like appcenter.elementary.io, blog.elementary.io, etc. We are able to use the same code snippet on all of them just with a separate data-domain="" value. It's a nice way to handle it imho.

<script async defer data-domain="appcenter.elementary.io" src="https://stats.elementary.io/js/index.js"></script>

<script async defer data-domain="blog.elementary.io" src="https://stats.elementary.io/js/index.js"></script>

[ukutaht]

Good example of what sort of workarounds exist in the wild because we don't support this feature: https://johnschmidt.de/blog/using-plausible-analytics-in-your-next-js-app

See Avoiding Counts in Preview Deployments

[jopesh]

Having a randomly generated tracking code for each site would improve this situation.

Hey, thanks for the reference 😀 Maybe a sort of UUID for each site would benefit that cause? Then, the data-domain or data-id could reference this UUID to obstruct - at least a little.

<script
  async
  defer
  data-id="66d88b9e-036a-44cc-a6eb-a5827cc734e3"
  src="https://stats.johnschmidt.cloud/js/plausible.js"
/>

To tackle the multiple / custom origins issue: user-defined array of allowed hostnames in the back-end? As in test.com, foo.com, bar.com. The API might only accept events with a given UUID only if it originates from an allowed hostname. The hostname could be resolved from the requests headers.hostname for a "light" authorization. It could still be spoofed, of course, but with slight more effort.

[tf]

Fathom apparently offers an "allowed domains" feature now: https://twitter.com/usefathom/status/1456316988138172421. Seems like the right approach to me.

[metmarkosaric]

Update: This is now possible. See https://plausible.io/docs/subdomain-hostname-filter#allow-traffic-from-specific-hostnames-only