[Avfrosta]

No, that key is verified against your domain connected to your user credentials. Meaning that if someone else uses you key on their website, their POST request to my server will be declined because their domain is not the domain you provided.

But you're right, might be a good idea to change the name of the key or work it out completely, it does look like it could be a vulnerability from an outsiders persepctive.

[solardev]

OP, how does this scheme work? If the client is authoritative, that means anybody can just copy that network request and spam you with fake data for that domain. Indeed, if I copy that network request and curl it with changed headers, I still get a 200, which suggests that this is the case...

I'm also concerned about your claim for GDPR compliance. Keeping an IP address for a day and then incrementing against it is still storing personal information, even if it's not in a cookie. Using a server to do the tracking doesn't automatically exempt it from cookie notices.

Storing the IP address for a day doesn't automatically make it non-PII, either. At the very least you should be hashing it. See what Plausible does at https://plausible.io/data-policy or read up on the GDPR discussion at https://ec.europa.eu/justice/article-29/documentation/opinio...