DOCS
LLMs

Abuse protection

RailsFast ships with several measures you can use to protect against abuse and bots / DDoS / scrapers / bad actors.

Cloudflare Turnstile (Captcha-like)

Cloudflare Turnstile is a widget, like the famous CAPTCHA, that validates whether the user is human or not. This is useful to prevent bots from automatically / massively submitting information to your app, for example.

As we saw in the auth section, all signup/login forms come already protected against abuse by Cloudflare Turnstile.

If you want to add Turnstile (Captcha-like) protection to any other form on any other page, you just need to add the cloudflare_turnstile element to your view:

<%= cloudflare_turnstile(theme: 'dark') %>

And then, in the corresponding controller action:

before_action :validate_cloudflare_turnstile, only: [:your_action]

Everything is configured in RailsFast so that these two lines are enough to add a fully functional Turnstile validation to any form in your app.

We leverage the cloudflare-turnstile-rails gem for this, in case you need more documentation in how to use it.

Rate limiting

I recommend setting up any rate-limiting countermeasures in Cloudflare (it's more advanced and kills any request before it actually hits your Rails app), but in case you don't want to / can't do it, you still have a very solid and production-ready mechanisim to easily rate limit requests in your RailsFast apps.

Just add rate_limit to any controller:

class DemoController < ApplicationController
  rate_limit to: 3, within: 1.minute, by: -> { current_user.id }, only: :my_action
end

For example, the rule above will block users from submitting more than 3 requests per minute to the my_action endpoint.

Read more about rate_limit in the official RateLimiting docs.

Previous Attachments and cloud storage (S3-compatible) Next Usage credits