Skip to content
fusionaly
Docs
Data Integrity

Data Integrity

How Fusionaly protects your analytics from fake events and bot traffic

Your analytics should reflect real user behavior. Fusionaly blocks fake events, bots, and spoofing attempts — all on your server, all open source.

Browser-Only Validation

Section titled “Browser-Only Validation”

Every event must come from a real browser. No exceptions.

How It Works

Section titled “How It Works”

Three checks, all must pass:

  1. Sec-Fetch-Site header — Browsers include this automatically. Requests without it are rejected.
  2. Valid header value — Must be a real browser value (same-origin, same-site, cross-site, none). Fake values rejected.
  3. Origin or Referer header — Browsers always send at least one for POST requests. Missing both? Rejected.

What Gets Blocked

Section titled “What Gets Blocked”
Request TypeBlocked?Why
curl/wgetNo Sec-Fetch-Site header
Postman/InsomniaNo Sec-Fetch-Site header
Backend HTTP clientsMissing browser headers
Forged headersInvalid values
Real browsersPass all checks

Why This Works

Section titled “Why This Works”

The Sec-Fetch-* headers are forbidden headers — JavaScript can’t set or modify them. Only the browser can. Backend clients don’t send them at all.

This makes spoofing hard:

Terminal window
# Rejected — missing headers
curl -X POST https://your-site.com/x/api/v1/events \
  -d '{"url": "https://fake-page.com"}'


# Also rejected — missing Origin/Referer
curl -X POST https://your-site.com/x/api/v1/events \
  -H "Sec-Fetch-Site: cross-site" \
  -d '{"url": "https://fake-page.com"}'

Bot Filtering

Section titled “Bot Filtering”

User-Agent analysis filters known bots and crawlers: Googlebot, bingbot, headless browsers, etc.

For stronger protection, put Cloudflare in front of your instance. Their bot detection catches sophisticated bots that evade User-Agent checks.

Rate Limiting

Section titled “Rate Limiting”

100 requests/minute per IP. Blocks:

  • Denial of service attempts
  • Automated probing
  • Runaway client loops

How It Fits Together

Section titled “How It Fits Together”
Request → Rate Limit → Browser Check → Bot Filter → Store
              ↓              ↓              ↓
           503 error     403 error       Ignored

Each layer catches different attacks. Together, they ensure only real browser events reach your database.

Open Source

Section titled “Open Source”

Unlike cloud analytics with proprietary filtering, everything here is:

  • Auditable — read the code
  • Configurable — adjust to your needs
  • Local — runs on your server, no external calls
© 2026 Fusionaly. All rights reserved.
Home Docs Features Install Pricing FAQ Get started

Getting Started

Free vs Pro Installation Local Demo Getting Started Configuration

Features

Automated Tracking Custom Events Scroll Signals Revenue Tracking Subdomain Tracking

Administration

Server Administration Migration from Beta

Technical

How It Works Data Integrity Visitor Transparency

Integrations

Generic Integration Agent API