Data Integrity & Anti-Spoofing
How Fusionaly protects your analytics from fake events, bot traffic, and backend spoofing attempts
Fusionaly includes multiple layers of protection to ensure your analytics data reflects real user behavior. Unlike cloud analytics platforms that rely on opaque filtering, Fusionaly’s defenses are transparent and run entirely on your server.
Browser-Only Validation
Section titled “Browser-Only Validation”The most critical protection is browser-only validation — a defense-in-depth approach that blocks requests not originating from real web browsers.
How It Works
Section titled “How It Works”Every event sent to Fusionaly’s ingestion API must pass three validation checks:
-
Sec-Fetch-Site Header — Modern browsers automatically include this header on every fetch/XHR request. It indicates the relationship between the request origin and target (same-origin, same-site, cross-site, or none). Requests without this header are rejected.
-
Valid Header Values — The
Sec-Fetch-Sitevalue must be one of the four valid browser values. Invalid or fabricated values (likebackendorserver) are rejected. -
Origin or Referer Header — Browsers always include at least one of these headers for cross-origin POST requests. Requests missing both are rejected.
What Gets Blocked
Section titled “What Gets Blocked”| Request Type | Blocked? | Reason |
|---|---|---|
| curl/wget | ✅ Yes | Missing Sec-Fetch-Site header |
| Postman/Insomnia | ✅ Yes | Missing Sec-Fetch-Site header |
| Backend HTTP clients | ✅ Yes | Missing browser headers |
| Forged headers with invalid values | ✅ Yes | Invalid Sec-Fetch-Site value |
| Real browser (Chrome, Firefox, Safari) | ❌ No | Passes all checks |
| Browser extensions | ❌ No | Uses browser’s fetch API |
Why This Matters
Section titled “Why This Matters”Without browser validation, anyone could send fake events to your analytics:
# This would be rejectedcurl -X POST https://your-site.com/x/api/v1/events \ -H "Content-Type: application/json" \ -d '{"url": "https://example.com/fake-page", ...}'Even if an attacker adds fake headers:
# This would also be rejected - missing Origin/Referercurl -X POST https://your-site.com/x/api/v1/events \ -H "Sec-Fetch-Site: cross-site" \ -d '{"url": "https://example.com/fake-page", ...}'The combination of multiple header checks makes spoofing significantly harder than checking a single header.
Browser Header Security
Section titled “Browser Header Security”The Sec-Fetch-* headers are forbidden headers in browsers — JavaScript cannot set or modify them. Only the browser itself can include these headers, which is what makes them reliable for validation:
fetch()andXMLHttpRequestcannot overrideSec-Fetch-Site- The browser always sends the truthful value based on the actual request origin
- Backend HTTP clients don’t send these headers by default
Additional Protections
Section titled “Additional Protections”Rate Limiting
Section titled “Rate Limiting”Public ingestion endpoints are rate-limited per IP address (default: 100 requests/minute). This prevents:
- Denial of service attempts
- Automated scraping or probing
- Runaway loops in client code
Bot Filtering
Section titled “Bot Filtering”User-Agent analysis filters out known bots and crawlers before events are processed. Common patterns like Googlebot, bingbot, and headless browsers are excluded from analytics.
For stronger bot protection, consider placing Cloudflare in front of your Fusionaly instance. Cloudflare’s Bot Management uses machine learning, behavioral analysis, and fingerprinting to block sophisticated bots that can evade User-Agent detection.
IP Exclusion
Section titled “IP Exclusion”You can configure IP addresses to exclude from tracking (useful for filtering your own team’s traffic or known VPN exits).
Defense in Depth
Section titled “Defense in Depth”These protections work together as layers:
Request → Rate Limit → Browser Validation → Bot Filter → IP Check → Store ↓ ↓ ↓ ↓ 503 error 403 error Ignored IgnoredEach layer catches different attack vectors:
- Rate limiting stops volume-based attacks
- Browser validation stops programmatic spoofing
- Bot filtering removes non-human traffic
- IP exclusion removes known false positives
Transparency
Section titled “Transparency”Unlike cloud analytics that filter data with proprietary algorithms, Fusionaly’s protections are:
- Open source — you can audit exactly what gets filtered
- Configurable — adjust thresholds and rules to your needs
- Local — all filtering happens on your server, no external services
Your analytics data is only as trustworthy as the ingestion pipeline. Fusionaly ensures that pipeline accepts only genuine browser events.