| ▲ | stingraycharles 6 hours ago | |||||||||||||||||||||||||
What is a better solution? | ||||||||||||||||||||||||||
| ▲ | sarchertech 4 hours ago | parent [-] | |||||||||||||||||||||||||
You have to think hard about the problem and apply individual solutions. Cloudflare didn’t work for the author anyway. Even if they had more intrusive settings enabled it would have just added captchas, which wouldn’t likely have stopped this particular attacker (and you can do on your own easily anyway). In this case I assume the reason the attacker used the change credit card form was because the only other way to add a credit card is when signing up, which charges your card the subscription fee (a much larger amount than $1). So the solution is don’t show the change card option to customers who don’t already have an active (valid) card on file. A more generic solution is site wide rate limiting for anything that allows someone to charge very small amounts to a credit card. Or better yet don’t have any way to charge very small amounts to cards. Do a $150 hold instead of $1 when checking a new card As far as cloudflare centralization goes though, you’re not going to solve this problem by appealing to individual developers to be smarter and do more work. It’s going to take regulation. It’s a resiliency and national security issue, we don’t want a single company to function as the internet gatekeeper. But I’ve said the same about Google for years. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||