There is a form where one of the first fields immediately after filling in
.on('blur') transparently makes its way through the site database - is it already registered, or not? Depending on the result, some of the fields below are hidden or shown.
The villains can such a mechanism zadolbat mass requests, with the result that the type will get the info, which they should not have - rel. who is on the site, and who is not.
As long as I do: I keep the number of requests in the session. If I don’t process more than N, then all the answers are negative. It is clear that you can reset the session, go through a proxy, through Thor. But, probably, it will somehow protect against full-scale punching.
How do you want to do: something like a form protection, where every time a unique token is generated that can only be used once.
Question: how to “correctly” protect oneself from the very impudent and mass punching of data through the ajax request handler?