Hey everybody,
I was wondering what would be the best way to use Segment within a CLI tool. Should we directly embed the write-key and send data to Segment or should we use a proxy service which then redirects the data to Segment?
How do we protect against abuse? Everybody can just extract the write-key and spam anonymous_ids to exhaust our MTUs.
Best,
Max
Hey Max,
We have some information about exposing write keys in our docs. You can check that out here. A new write key can be generated directly in Segment if you detect any bad actors.
If you are worried about exposing the write key, it may be best to look into implementation using a server-side integration such as our HTTP Tracking API, or other libraries. In essence, collecting the data and making any determinations on bad actors before sending data to Segment. This will remove the real-time element of a client-side integration, but will allow you to hide the write key.
Hopefully this info is useful and feel free to drop a reply if you have any questions.
Cheers!
Hey Tyler,
thank you for your answer!
I have a few follow-up questions:
If I regenerate the write-key, I will lose tracking for all existing distributed binaries out there. Also the actor could just use the new key.
We already had a case where some crawler scrapped the website, emitted dozens of random events which all ended up as separate tables in our data-warehouse.
I guess the best solution is if we build a custom proxy with strict input control and a clever rate-limiting. Are there some tools which Segment already provided to achieve this or do we need to completely handle endpoint protection on our own?
Best Max
Hey Max,
Sorry to hear that you’ve encountered a malicious user sending bogus data. As with all public-facing APIs like Segment, authentication is required to send traffic - so some step of the process will require the write key to be visible, whether encrypted or not.
Protocols can help you govern unplanned events before they reach your destinations if messy data is the issue...
However, it sounds like your primary concern is to protect your MTU allowance from being expended by bad actors. If that is the case, then you can absolutely use a custom proxy that sits between Segment and the end user; rate-limiting or providing additional filtering. There’s unfortunately no one-size-fits-all solution to this problem, but the custom proxy documentation has detailed information on the implementation that Segment needs to get events flowing through a custom proxy.
Cheers,
Tyler
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
