Preventing Client-Side Access Token Abuse

September 22nd, 2020 • By Brian Rue

Unfortunately there is no silver bullet here -- all analytics services have this problem too (Google Analytics, Mixpanel, etc.).

Our best practices for mitigating this problem:

Access tokens Use a separate client-side token with postclientitem scope only. (This is the default postclientitem token.) The client-side access token can only be used to send events and only from client-side platforms. It can't be used to read any data, and it can't be used to spoof server-side events.

Tokens can be disabled and replaced at any time. If someone is abusing your token, you can disable it and use a new one instead.

IP Blocklist We also provide an IP Blocklist so that you can blocklist specific malicious IPs. You can find the source IPs in the Rollbar interface, and then add those IP(s) to the blocklist. (Project -> Settings -> IP Blocklist)

Get the latest updates delivered to your inbox.