Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rack attack set up is always included when running the generator with --without-rack-attack #1

Open
lfarrell opened this issue Feb 28, 2025 · 0 comments
Open

Rack attack set up is always included when running the generator with --without-rack-attack #1

lfarrell opened this issue Feb 28, 2025 · 0 comments

Comments

@lfarrell
Copy link

I ran bin/rails g bot_challenge_page:install --without-rack-attack

application.rb then has the following line add: require 'rack/attack'

The bot_challenge_page.rb initializer adds all the configuration options for rate limiting and inits rack_attack.

Rails.application.config.to_prepare do

  BotChallengePage::BotChallengePageController.bot_challenge_config.enabled = true

  # Get from CloudFlare Turnstile: https://www.cloudflare.com/application-services/products/turnstile/
  BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_sitekey = "MUST GET"
  BotChallengePage::BotChallengePageController.bot_challenge_config.cf_turnstile_secret_key = "MUST GET"

  # What paths do you want to protect?
  #
  # You can use path prefixes: "/catalog" or even "/"
  #
  # Or hashes with controller and/or action:
  #
  #   { controller: "catalog" }
  #   { controller: "catalog", action: "index" }
  #
  # Note that we can only protect GET paths, and also think about making sure you DON'T protect
  # any path your front-end needs JS `fetch` access to, as this would block it (at least
  # without custom front-end code we haven't really explored)

  BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limited_locations = [
  ]

  # How long will a challenge success exempt a session from further challenges?
  # BotChallengePage::BotChallengePageController.bot_challenge_config.session_passed_good_for = 36.hours


  # allow rate_limit_count requests in rate_limit_period, before issuing challenge
  BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_period = 12.hour
  BotChallengePage::BotChallengePageController.bot_challenge_config.rate_limit_count = 2
  
  # Exempt some requests from bot challenge protection
  # BotChallengePage::BotChallengePageController.allow_exempt = ->(controller) {
  #   # controller.params
  #   # controller.request
  #   # controller.session

  #   # Here's a way to identify browser `fetch` API requests; note
  #   # it can be faked by an "attacker"
  #   controller.request.headers["sec-fetch-dest"] == "empty"
  # }

  # More configuration is available


  BotChallengePage::BotChallengePageController.rack_attack_init
  
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lfarrell