CODEWITHSUNDEEP
node.jsspam-prevention
marki00
marki00

Reputation: 73

NodeJS form spam prevention

is there a way i can prevent spam on forms? i have a site and spammed over 500 requests with python (requests library), is there a way to prevent this? people can change their user agent and use proxies for spamming by the way. Is there a little technique i can use or any npm packages (cant find anything useful for me).

here's my post route, i removed out the queries.

app.post('/:id', function(req, res){
    if(req.method == 'POST') {
        var id = req.params.id;
        if(isNaN(id) == false) {
            db.query('SELECT * FROM users WHERE id = "'+id+'"', function(loggerErr, logger) {
                if(!loggerErr) {
                    db.query(, function(logErr, logRes) {
                        if(!logErr) {
                            res.redirect('/');
                        } else {
                            throw logErr
                        }
                    })
                } 
            })
        } else {
            db.query(, function(logErr, logRes) {
                if(!logErr) {
                    res.redirect('/');
                } else {
                    throw logErr
                }
            })
        }
    }
});

Upvotes: 5

Views: 3832

Answers (1)

O. Jones
O. Jones

Reputation: 108706

Only 500 spam posts? Not bad. Many sites get tens of thousands. It's a big nuisance. Cybercreeps ....

It's quite hard to stop these posts in your server's code.

The best way to slow down spam posts is to incorporate a CAPTCHA ("I am not a robot") into your posting forms on your web pages.

Google offers their reCAPTCHA service. It's good for the standard Google reason: it hoovers up data from every site that uses it, and makes lists of well-known spammers to reject.

There are other ways. One is requiring all users who POST to register with emails and passwords first, then ask them to complete their registrations by responding to an email you sent them. But that's bigger than a quick fix to a post() route.

EDIT In development, you know which IP addresses you and your testers use for their browsers. So do something like this, using your own IP addresses, not the ones in this example.

const ipAllowlist = ['10.11.12.13', '10.12.14.16', '192.168.123.124']
...

Then at the top of your post() method do this.

if (!ipAllowlist.includes(req.connection.remoteAddress)) 
   throw new Error('ip not in allowlist, begone cybercreep!)

But you need to take this out before release, obviously.

Upvotes: 1

Related Questions