Suggestion - Possible bot deterrents

At the moment it’s arbitrary to log in and perform actions with an HTTP client like Postman, here’s my thoughts on a few things which could be investigated to improve matters.

  • Google reCaptcha on the login page (might also make sense to use an invisible reCaptcha throughout, but I have a feeling this might hit some Google API limits ^^)
  • CSRF tokens on forms to validate the request came from the previous page load
  • Throttling / rate limiting on the nginx proxy [https://www.nginx.com/blog/rate-limiting-nginx/] to limit to human interaction speeds
  • Randomise class names on some elements to make web scraping harder

I’m sure I may think of other things, so I’ll update this thread if I do.

I’ve got a lot of these planned (the framework for CSRF prevention is already in place, some people have historically had fun with that one), so it’ll eventually come along :slight_smile:

As mentioned in a more recent thread, MFA via Google Authenticator. That’ll stop account sharing as well, or at least make it considerabley more difficult.