silesky
commented
3 months ago Hey @naviangie.
Sorry, segment does not support anything like that AFAIK (an origin whitelist, or some writekey-by-writekey custom CORS headers).
The best you might be able do is revoke a write key if, say, your website is being cloned via a phishing website. This might be hacky, but it would be possible use edge functions or destination filters to just drop the event based on what's included in the page URL. You can also contact support for more help on finding a bespoke solution -- they would know more about the options.
Of course, the request body can always be crafted in a deceptive way, so there's no guarantee that the origin is valid. I responded to an issue here around why the write key is 'public' FYI: https://github.com/segmentio/analytics-next/issues/1050#issuecomment-2004604183
I'm concerned about the potential for the writeKey to be extracted and misused by third parties on unauthorized domains.
Is there a way to configure a whitelist of domains through any settings in the analytics service, which would only allow my writeKey to be used from specific, authorized domains I designate?