The bot-fighting is a non-stop battle. In this week's video, I discuss how we're tweaking Cloudflare Turnstile and combining more attributes around how bot-like requests are, and… it almost worked. Just as I was preparing to write this intro, I found a small spike of anomalous traffic that, upon further investigation, should have been blocked. So we've pivoted again, adding yet more logic to try and give legit humans the best experience possible whilst making it painful for the bots. Fortunately, we're doing this with resources that have minimal impact if a limited number of bot requests come through, but it does make for a challenging if not somewhat infuriating experience.
References
- Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
- We've now identified the first round of partners to onboard to HIBP (these are companies that can help victims "after the breach")
- ColoCrossing had a breach that exposed 7k customer email addresses for their cloud service (looks like this just ColoCloud)
- We love the HIBP merch store, but Teespring's support is absolutely woeful (we'll move to an alternate provider in the very near future)
- We're still tweaking Cloudflare's Turnstile to keep the bad guys out and the good guys in (that's a link to the HIBP homepage which we think we have dialed in pretty good now, see if you get a nice async request or a full page post-back)
