I'm exploring AngularJS and ran into an interesting question. If I develop an API to power my AngularJS website it would include public facing items such as a Contact Form. Assume an API method exists /api/contact and a POST request will create a new contact form entry.
How can we prevent a spammer from using an automated script to to create millions of entries? An API token wont really work here as we dont need to identify the user at this stage.
Some ideas that we considered:
- Restrict number of creates per IP address
- Handshake with the server – but nothing to stop to spammer replicating this.
I assume this is an issue that is commonly solved – can anyone point me in the direction of (Or share) some resource on the subject?
Best Answer
I guess the common solution is a capatcha.
In your case you seem to have an odd set of restrictions
my Suggestion is that you force the client to acknowledge the response with a computationally slow to generate reply before you process the request.
This will allow you to rate limit the clients by delaying your ack request and prevent multiple simultaneous requests from the same client, by forcing the computationally hard ack reply. perhaps bcrypt or some other slow hash? (mine a bitcoin!?)
However, it would be more usual to implement a signup/auth procedure which you can then use to identify individual clients