Tracking code API - can be runned on any domain?


I’m wondering why Tracking code API for my Hubspot portal works on any domain, even on localhost? No matter what domains are listed as site domains on settings page.

Does it mean that anyone can extract my tracking code from source code of page and add/modify contacts in my portal?


Hi @oleg.panichev,

We have various anti-spam and anti-DDoS protections that protect against malicious activity for all APIs, including un-authed endpoints like the Tracking Code API. With regard to events, you can delete them in HubSpot if you’re looking to prevent additional completions of a given event. If you’re seeing any activity that you believe to be malicious, feel free to reach out to me and we can work with security to find a solution.