Content pfp
Content
@
0 reply
0 recast
0 reaction

max pfp
max
@maxmandia
Let’s say you’re making a react sdk that allows the installers users to send events to the sdk platform, where the installer can then view them. We can give the installer a publishable key to determine which events belong to them, but since this key is client side, couldn’t anyone spoof the key? Advice appreciated!
1 reply
0 recast
1 reaction

typeof.eth 🔵 pfp
typeof.eth 🔵
@typeof.eth
You could have the installer specify allowed domains and only track events that come from that domain.
1 reply
0 recast
0 reaction

max pfp
max
@maxmandia
couldn’t you set up a proxy server to spoof the referer?
1 reply
0 recast
0 reaction

typeof.eth 🔵 pfp
typeof.eth 🔵
@typeof.eth
Yeah but you can guard some of that stuff on your server. If your users API keys must live on the client, the options are limited afaik. Whitelisting domains is how some RPC providers and analytics clients do it though.
1 reply
0 recast
0 reaction

max pfp
max
@maxmandia
cool makes sense. just trying to get an understanding of what an acceptable mvp looks like for this sort of thing
0 reply
0 recast
1 reaction