Soon after launching, I got hit by a botnet attack. Those ducks kept submitting 2
POST requests to /login, followed by 2
POST requests to /signup, and since there were no checks in place, they were getting in quite easily. I started panicking. I knew I needed to do something and do it quickly. The easiest solution could have been sticking a Google reCAPTCHA on the site, but it annoys the hell out of me, and I didn’t want to send any iota of my users’ data to Google. After evaluating multiple alternatives, I went with a Ruby gem called invisible_captcha. It uses multiple techniques, such as an invisible honeypot field and time-sensitive submissions to keep bots at bay. It's been working great so far. Although, I realize that this approach won't fly for bots running headless browsers.