At the moment it’s arbitrary to log in and perform actions with an HTTP client like Postman, here’s my thoughts on a few things which could be investigated to improve matters.
- Google reCaptcha on the login page (might also make sense to use an invisible reCaptcha throughout, but I have a feeling this might hit some Google API limits ^^)
- CSRF tokens on forms to validate the request came from the previous page load
- Throttling / rate limiting on the nginx proxy [https://www.nginx.com/blog/rate-limiting-nginx/] to limit to human interaction speeds
- Randomise class names on some elements to make web scraping harder
I’m sure I may think of other things, so I’ll update this thread if I do.