Hey @davidher_mann,
Thanks for your response. I think a WAF is ideal for preventing DoS attacks. But I don’t see how I would prevent requests outside of approved domains from entering the system. Without some sort of secret, I don’t see how to stop a malicious user from fabricating a request to circumvent the rules that the WAF would filter out. I understand I could authenticate a token within the request during the Enrichment process (based on: Snowplow JS Authentication - #6 by matus), but I want to prevent the event from entering the Collector in the first place. This post from @mike explains the same problem:
Signing is probably likely to reduce users sending targeted data but if you have a signing method that is executing client side then it necessitates having that secret available on the client. If an attacker is determined enough they can determine the secret and signing method and still send dummy data. As far as I’m aware there aren’t any analytics tools (or many other tools for that matter) that prevent request tampering. Data that is sent from the client is default assumed to be untrusted so folks that want to prevent tampering tend to move these events server side rather than relying on code that executes on the client.
Snowplow JS Authentication - #8 by mike
Brandon