We want to embed an ajax style service into a number of our websites each with a unique api key. The problem that I can see is that because the api key is stored in the javascript file the user could potentially take the key, spoof the http referrer, and make millions of requests to the api under that api key.
So I am wondering how Google prevents Analytics spoofing? As this uses almost the same idea.
I'm also open to other ideas, essentially here is the process.
SiteA -> User <-> Ajax <-> SiteB
EDIT - is there any way to protect the API from being abused while having it called via ajax?
I don't believe there are any such protection measures in place. Spoofing of traffic is a serious problem for other Google services, such as Adwords. For instance a malicious individual who is bidding on adwords can generate many fake clicks for their competitor's ads to drive up their advertising costs and thus Google's stock price. The inverse is also true, people will generate fake clicks on their site to get extra money from a PayPer Click ad on their site.
At the end of the day a hacker can amass a list of 10,000+ anonymous proxy servers without too much difficulty and there isn't much you can do about it. A hacker could also use a botnet, some of which are millions in size. Traffic generated from a botnet can appear to be legitimate machines with a legit Google Cookie, because they where hijacked.
Many proxies and bonet'ed machines are enumerated by Realtime Black Lists (RBL) such as the one run by http://www.spamhaus.org , and many legitimate ip addresses are also on that list. There are also proxies that can't be used for spam but could be used for click fraud and thus they won't be on that list.
At a guess, I'd say the key is one half of a public-private key pair that (somehow) includes the URL as a hash. This way, the key will only work, and the hits only registered, if the request is for the URL for which the key was generated. You can't spoof the request, because if you do it goes to the wrong URL and nothing happens.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 老娘就宠你 的文章《How does Google Analytics prevent traffic spoofing》','https://www.manongdao.com/article-301007.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}