So I'm stuck trying to figure out how Google Analytics avoids spoofing. Sure, when you sign up for an account, they make you verify that you own the domain by uploading a file. But you are also given some script tags with a unique public code (replaced with 'XXXXXXX' below). What's stopping somebody from copying that code, spoofing the request headers, and pretending to be my site by following Google's authentication strategy with curl?So I'm stuck trying to figure out how Google An