Fighting h@ckers with Google Recaptcha v3

[bdebon]

For now, the website can easily be hacked. Someone with little knowledge can send a request with a new fake IP every time and voting 1000th times easily for the same response. This is what happened with Php vs JavaScript. A backend dev discovered the breach and decided to put 6000 votes for PHP...
Don't worry, we will catch up with these 6000 fake votes with 6001 real people's vote for javascript.

To fight this, several solutions has been proposed

• auth or auth0 : I don't want any authentication system that would break the fun and the friendly ux.
• Entering a mail: I don't want either
• Using Google Recaptcha v3 to generate a token than the person must attach to his request

I like this last solution but I don't have too much time to dig into how to implement that but if someone wants to do it... You're welcome!!

[kmartin91]

(recaptcha entreprise / V3 / V2)
https://www.google.com/recaptcha/about/

Don't break internet again, it might cost you a bit

[MaximeMRF]

A lot of e-commerces uses cloudflare bot management to block scrapers.

I think, it can be a good solution for this problem because simple post request made by a script is blocked by cloudflare.

In addition, cloudflare may also detect if you are using a browser managed by a program like puppeteer (node.js) or selenium (python).

On the other hand, I dunno how cost this solution.

[delikesance]

Why can't we just use cloudflare ? It might do the trick

[bdebon]

I don't know, never used it. Is it compatible with the technologies we can use with the shared hosting at Hostinger ? I precise we just have PHP / MySQL / and basic nginx. No node possible.

[Snox-dev1]

It's really too easy even without scraping @MaximeMRF

[Snox-dev1]

The best way is to get the voter's ip address and block him when he votes too much

[tdaron]

Is really captcha a good Idea ? Anyone could just extract the token from his browser and put it in any script. To be sure that can't be done, a captcha should be asked for every question but it's sooo bad for ux

[Snox-dev1]

I had an idea !

Basically on the database you have to add a timestamp of the last vote

Then at each vote look when was the last vote of the ip then if it was less than 5 minutes ago then we block.

[bdebon]

I sounds incredible! Easy to implement and good enough to prevent the biggest abuses! Does anybody has something agains this proposition?

[bdebon]

oops no it does not work. Anyone can change it's IP for a random one. Node scripts are doing that super easily, so it's not working.

[MatteoGauthier]

A solution which does not cover all cases may be the use of fingerprintjs on the front in order to prevents browser automation.