|
I have a public website that does not require authentication. It's a lighting calculator for indoor cultivation. Anyone can enter and complete the process and ultimately save your settings for future use sharing it on Facebook or twitter. The configuration is saved as a document in a database, using a REST api. At this time nothing prevents someone make a bot and fill my hard disk in a few hours. What steps can I take to give protection to my service? |
|||
|
|
|
Add a limit per ip / browser as a start and also a slowdown for the whole site. So if you get more > 150% of the normale amount of requests (in total) add a time limit which stops the requests. Let the user wait until the next minute for example. That will stop it. http://stackoverflow.com/questions/12449538/http-response-code-for-please-wait-a-little-bit So if you are over the limit send a 503 error. That saves your server. Then in javascript get the response code, understand it, and show the user a timer. If others use it at their website you can also get a get from your rest api and include it in the page. Like a session id. That way you can block everyone who did not come from the website at first. Making it more complex because they need to do 2 requests. |
|||
|
|
