Describe the bug
All the ingestion endpoints (api/track, api/identify), are not protected by any checks. The minimal protection should be to check the origin and/or referrer of the incoming request.
To Reproduce
Steps to reproduce the behavior:
- make a POST call to the api/track with any Host header and see that it writes data.
Expected behavior
Only calls from the website including the script should be allowed to write data.
Additional context
Running self hosted version 2.6.0 behind a nginx proxy.
Describe the bug
All the ingestion endpoints (api/track, api/identify), are not protected by any checks. The minimal protection should be to check the origin and/or referrer of the incoming request.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Only calls from the website including the script should be allowed to write data.
Additional context
Running self hosted version 2.6.0 behind a nginx proxy.