TLDR: I made a public only web analytics without signup. Stores views and visitors for 10 days before deleting data.
Exactly 25 days ago today I posted here, proud of my new web analytics. The response was mixed and my post even got flagged (understandable). It was my first real launch and I actually made a sale just a day later of 49$(!). Back then my project was pay once, keep forever. Since then I have sadly went over to the dark side (subscription based).
Anyways, I never went back to look at the post after the first two hours, turns out I got a lot of answers. Most answers was something like: "Yea yea, this is great... but why not self-host?". And to be honest, I don't really have a good answer to that, I myself used to self-host.
Since swithcing over to subscription based I have gotten two customers, altough one cancelled. So at the moment I have one subscription based customer. And while I'm not planning to shut it down anytime soon (not very expensive to run) I am looking forward to new projects.
As a way to create a little "boilerplate" for myself I created my latest project Indielytics. It's a stupid simple, public only, free to use web analytics. By adding a small js snippet to your html you will automatically start displaying daily unique visitors and views on www.indielytics.link/your-domain.
It's GDPR compliant and cookieless too. One of the big cons: data is kept for only 10 days to make sure I can afford this.
How it works: the script in your websites HTML sends the domain, user-agent and ip-adress over to my servers. To then be able to count unique visitors without storing any personallly identifiable information (PII's) the IP-adress is first trunctuated (last segments is discarded). After that the domain + user-agent + IP-adress is hashed with a daily rotating salt. Then it's stored in a EU hosted DB. The raw IP-adress is never stored anywhere other that in memory (altough it can probably be found in your server logs). The hashed strings are deleted withing 24 hours.
Vulnerabilities: Right now there are some big cons to the way I have done this. The biggest problem being the fact that a lot of fake requests could easily be sent to my endpoint and thus increase the number displayed for a websites analytics. With simplytics.dev this wasn't really a problem, since theres no reason for people to fake their own data.
But the purpose of Indielytics is to display your analytics to others, which I fear will draw a lot more users with malicious intent.
I'd love feedback on the project, and I'd also love to hear solutions to my above mentioned problem.
This is really awesome, can you make it opensource
The fake requests problem has been solved, atleast partly.
I added a simple CORS check that makes sure the request is coming from the same domain as the request itself is saying it's coming from. Also added rate-limiting.