My use case is authentication.
Assume throttling etc on server but looking to limit hits in particular for email login / form (aka magic link) as concerned random emails could be triggered just for fun.
There's a lot of things you can do, but realistically, for starters, I would suggest against just having an "enter email" for a magic link. These can break, except when it actually comes to real usage. There's a write-up from not that long ago about not using magic links.
Additionally, Captcha's are a bit dumb, and they are a terrible user experience, so I general avoid using those.
Cloudflare, or really any CDN is great for this, most offer something like a WAF, to block attackers making requests. This is additionally fantastic because this protects your whole API not just one url, since hidden fields suck at that. Additionally, hidden fields don't get you anywhere, because if I use web automation, I can just pull the value out from the web form before making the submission, so you aren't blocking anything.
There are two additional strategies for this:
Most of the time the solution is actually "Well it's a good a thing to do right?" And in truth, sure, but it's also really expensive to implement. So what value are you getting out of that. Most services don't actually benefit from this, and with any amount of traffic + scale, this is going to be so much lower than real users usage.
#7 from your link captures why I asked. Other points not so much. Agree with your "is it really a problem worth addressing now" comment. Thanks.
Cloudflare + a honeypot field such us:
<input type="hidden" name="type_here_please" value="" aria-hidden="true">
This should limit bot submissions etc.
I have something similar as my honeypot - worth noting it's important to put in the relevant accessibility or else anyone using a screen reader gets labelled as a bot.
Good point Ryan - I've updated the snippet.
I would recommend three things:
Use of Google reCaptcha
Use of HTTPS
Reposting from a previous thread
I had the same problem when I launched my previous SaaS: automated signups from what seemed like stolen emails originating from residential IP addresses (probably breached IoT devices and whatnot).
I hate Google's captcha, so I wanted to try something different first.
I ended up using a Ruby gem called invisible captcha, which uses heuristics such as honeypot fields and time-sensitive submissions.
Roughly speaking, if someone (1) fills an invisible form field (with a random name so that it won't be populated by password managers) OR (2) submits a form too quickly (let's say within 4 seconds of opening a page), they're probably a bot, and their input should be ignored. You can optionally inform folks to retry the request if they submitted it too fast.
It was working great - not a single bogus signup after I implemented it. It won't fly if bots are using headless browsers, but most bots (and their operators) aren't sophisticated enough to pull that off.
If your language doesn't have a similar library, it won't be that hard to write a middleware replicating this functionality.
Cool. Very useful to hear your positive experience and the solution seems straightforward. Thanks.
We use Hcaptcha. Free and works well.
Looks the business + what a great idea! Thanks.
Here's my story: https://www.indiehackers.com/post/whats-your-anti-spam-playbook-ff3b94468f
Months later, I can say the problem is under control. All tools I've used for fighting spam are open source.
Useful tactics. Thanks for sharing.
Here's my very hacky solution:
<input ref="loginName" type="text" name="name" />
That's sneaky. Remind me never to play you at poker. Thanks!
Best case is to show them as a modal
Best case is to show them as a modal
Neat ideas! Thanks.
I use CloudFlare and Google ReCaptcha for my projects/websites, seems to do the trick for me.
Solid choices. Thanks.
Honeypot + throttling.
For a magic link, you could also throttle the emails.
Solid enough for my use case I would think. Thanks.
Using firebase and 🙈 for now
On other projects depending on the severity of issues I :
Can you expand on each of these. How are you honeypotting? What technique are you using to block server networks?
Ha. 🙈 works for me. csrf probably. Can see it becomes involved. Going to look to hand-it off as much as a I can. Think I see a way for the email magic-link option. Thanks.
I use a self-built honeypot, Google Invisible Recaptcha and email verification for sign-ups but although this stops most bots, some clever bots will get past all of these.
I have tried Cloudflare for a client whose site was getting hammered because he didn't moderate comments on his blog. It was useless and slowed the site to a crawl - something like 15 seconds to show a page. Cloudflare also do really weird stuff like sending the massive HEAD responses of megabytes rather than a few bytes. I ended up finding a different solution.
I had a load of bots from users at glitch.me signing up to Downtime Monkey to ping their sites and keep their free servers online all the time (they usually spin up only when in use). After battling this for a week I ended up blacklisting glitch users and auto-deleting accounts when someone tried to set up monitor for glitch.
What's quite amusing is that the bots that are clever enough to get past all the recaptchas aren't clever enough to stop trying when they hit air. Months later I still get a few attempts each day.
Interesting. Accept it's impossible to stop all. Thanks for input.
Hey. Yeah doesn't surprise me. I don't know internals of Captcha but all Google freebies are there to track, even those wonderful fonts we all love to use. Check FriendlyCaptcha in this post, although one reply seems to be challenging it.
I suppose this is the time to plug the product I helped build: Friendly Captcha as the privacy-friendly alternative (no cookies, no tracking, it works a bit differently).
It's open core (i.e. the SaaS around it is not open source, but the building blocks are open source, as is the widget/code you would put into your website).
Absolutely the time to plug. Looks great! Really good. Will play with it to check but on first viewing looks like just the kind of thing I was looking for.
Seems to be similar to geetest.com.
During scraping websites with this protection we just triggered a lambda function that executed that crypto puzzle 🤷
I think that's fair :)
We work hard to make sure it is as effective as possible while not compromising on privacy+accessibility, but no captcha will keep out all spammers/scrapers.
You can buy thousands of solves for $1 for normal captchas, or spend time+resources solving crypto puzzles. There is no perfect captcha that will protect against everything reliably. Most people use captchas against untargeted abuse (e.g. scripts submitting to any internet form with some adult ad text/email), not targeted attacks from those who are willing to spend actual money/time (I would argue a reasonable amount of automated scraping is not an attack anyway).
We have some more advanced stuff running in the backend too: we adapt the difficulty of the crypto puzzle based on some signals (a straightforward one being if you made many requests recently it gets more difficult).
Yup, I get it, there is no solution that would prevent bots from scraping a website. Tho this is a really interesting field to work with.
Another popular approach to detect bots is analyzing browser fingerprints. AFAIR distil networks provide some decent bot detection solutions
I've used a captcha on a Rails site to protect a form submission. I guess that wouldn't work for a magic link though.
Hi. Could use on the form to avoid malicious triggering of email send. So yeah relevant. Have updated post to be clearer. Was it the Google captcha you used. Thanks