There is a form where one of the first fields immediately after filling in .on('blur') transparently makes its way through the site database - is it already registered, or not? Depending on the result, some of the fields below are hidden or shown.

The villains can such a mechanism zadolbat mass requests, with the result that the type will get the info, which they should not have - rel. who is on the site, and who is not.

As long as I do: I keep the number of requests in the session. If I don’t process more than N, then all the answers are negative. It is clear that you can reset the session, go through a proxy, through Thor. But, probably, it will somehow protect against full-scale punching.

How do you want to do: something like a form protection, where every time a unique token is generated that can only be used once.

Question: how to “correctly” protect oneself from the very impudent and mass punching of data through the ajax request handler?

    1 answer 1

    The approach of storing the number of requests for certain IP addresses as a rule protects well, and it is extremely difficult to come up with something else here. You can only change the level at which the filtering takes place and transfer this task directly to the web server.

    If you use IIS, then there is a special module: Dynamic IP Restrictions module .

    I think there are analogues for Apache

    • Large office, all go to the same IP from my tz. Do not block them all after N people registered once. Then, the site is big, there is not only this registration lives there, they let them watch the pages, at least 100k times the same :)) - Sergiks
    • 2
      This is the subtleties of customization, hang the filter only where it is needed. Also, the lock passes not only by the number of requests, but also by the intervals between them. Of course, blocking directly by IP is not a very good option for your example. You can try to make a session session + IP. That is, initially the block goes for a specific session, with the growth of requests from the same IP and the growth of blocks of sessions, we simply close the IP - Pavel Azanov
    • one
      Is logical Went to read about similar modules for nginx . I'm not in a hurry to accept your answer, I will wait for more insights. - Sergiks
    • By the way, in addition to the module for IIS: the problem of accessing several people from one IP has been solved there. There is a special mode "Proxy". Read about it here: blogs.msdn.com/b/vyunev/archive/2012/03/12/iis-8-ip.aspx - Pavel Azanov