| ▲ | How robust against spam should side projects be? | ||||||||||||||||
| 11 points by cyjackx 2 days ago | 9 comments | |||||||||||||||||
I am just getting into making my first project as a hobbyist, and it involves user image uploads. I can imagine a whole host of issues that platforms deal with, from spam to AI to nsfw. Integrating captchas and image analyzers, etc, all feels like overkill. Leave it be until I need it seems like the right answer, cart before the horse assuming it'll even get any traffic or attention, but it's a silly enough joke idea that I want to see if it gets shared around a bit. | |||||||||||||||||
| ▲ | andyish a day ago | parent | next [-] | ||||||||||||||||
All systems should have an upper limit harder to them, it's not that hard to implement and it's just an ultimate safeguard. In the backend, limit image size to say 50mb, the number of images a user can upload to 1k and the amount of users that can be signed up to 10k. Then you have some numbers which will let you say "regardless of what happens, I've got a hard cap of 1 TB of stored data". You don't have to show the user their usage and you can always lift the caps with a deployment. What you don't want to happen is a side-project costs you tens of thousands because one fool thought it was funny to upload a million hi-res pictures of Rick Astley while you were asleep. Slightly more work would be to limit the number of images that a user can upload in 15 minutes. Or depending on what your signup flow is making a user confirm their email but putting a short delay in sending the email out. | |||||||||||||||||
| |||||||||||||||||
| ▲ | joewils 2 days ago | parent | prev | next [-] | ||||||||||||||||
I've found most spam comes from bots operating from certain countries. Filtering traffic by IP address will stop a lot of spammy traffic. I've used a combination of GeoIP and IP address catagorization to limit the impact of bots on my side-projects. Bot Protection: https://github.com/growlfm/ipcat GeoIP Evaluation: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data... You can dig deeper using dedicated services for URL and image inspection. Image Evaluation: https://cloud.google.com/vision/docs/detecting-safe-search URL Evaluation: https://cloud.google.com/web-risk/docs/overview | |||||||||||||||||
| ▲ | JoeNuts 2 days ago | parent | prev | next [-] | ||||||||||||||||
Personally I've never had real people use any of my personal projects, just some bots trying to break into the server occasionally with some generic scripts. So you'll probably be fine | |||||||||||||||||
| ▲ | codingdave 2 days ago | parent | prev | next [-] | ||||||||||||||||
> Leave it be until I need it seems like the right answer That might be correct, but knowing what moves you intend to make if a problem occurs is wise. For example, suppose you wake up one morning to find that your site was flooded overnight with content that is illegal. If you already had a plan in place for problematic content, you execute the plan, instead of being in a high stress situation and being forced to research and make quick decisions on the fly. | |||||||||||||||||
| |||||||||||||||||
| ▲ | brudgers 2 days ago | parent | prev | next [-] | ||||||||||||||||
it involves user image uploads As soon as the people you don’t want to use your system learn about your system, they will try to use your system. | |||||||||||||||||
| ▲ | dieselgate 2 days ago | parent | prev [-] | ||||||||||||||||
Maybe just a hidden form field with “are_you_a_bot” characteristics if necessary. Otherwise things like sql injection prevention may come out of the box with frameworks like rails | |||||||||||||||||