image by Eco Warrior Princess
Protect your sign up form with Rack::Attack
When your application becomes popular it may attract the attention of hackers, who’ll try and find ways to exploit the weaknesses in your site to use it for nefarious means!
They’ll nearly always explore your site manually, signing up and testing attack vectors, before attempting to automate the weaknesses they’ve discovered.
During an attack, the hacker’s bots will typically sign up with a random email then do something bad, hundreds of times a minute, from a relatively small number of computers.
…allowing unlimited sign up attempts…
Rack::Attack to limit the frequency of sign ups and ban the offending IP addresses.
module YourAppName class Application < Rails::Application config.middleware.use Rack::Attack end end
class Rack::Attack Rack::Attack.throttle("users/sign_up", limit: 3, period: 15.minutes) do |req| # Using “vanilla” devise inside a User model req.ip if req.path == "/users" && req.post? end end if Rails.env.production?
The judicious use of endpoint-based request restriction can prevent your site from being an attractive target for spammers and hackers. It can also reduce the size of any successful bot attack by limiting the amount of possible signups.
In this example, hackers can only add up to three users every quarter of an hour. If you think 15 minutes seems too brief you could probably increase the
period duration to twenty or thirty minutes without accidentally blocking any legitimate sign ups.
The solution above could, in theory, block legitimate sign ups, but it is highly unlikely that a user would incorrectly attempt to sign up three times in relatively quick succession.
Last updated on March 24th, 2019 by @andycroll
An email newsletter, with one Ruby/Rails technique delivered with a ‘why?’ and a ‘how?’ every two weeks. It’s deliberately brief, focussed & opinionated.