API Key

[lhaemmerle]

Code works well and is surprisingly short :-) I wonder why there is an API key in the env.php file if it is nowhere used in the code? It does not seem like it is checked at all currently.

[amenk]

True, it's not used. Everyone knowing the URL can currently verify responses. Feel free to provide a pull request.

Be aware that the "official" server does much more bot-protection work :-)

[lhaemmerle]

I just did :-)

Could you explain a bit more what additional bot-protection one can expect from the official server? I mean, except for the IP address there is not much more that can be reliably checked? Analysing the user agent also won't help much because this can be arbitrarily set by bots.

[amenk]

@dev-love a question for your team :)

[dev-love]

@lhaemmerle We look at the anonymized visitor's history across all websites, as well as reputation lists (of their anonymized IP and ASN), and we scale the difficulty. We also look at the timing information (e.g. what patterns of submissions do users generally have), as well as the frequency of submissions and puzzle requests. As for user agent and other headers, we look if they are consistent with each other (i.e. do we think the user agent is being lied about?). We're actively working on version two, which will include dynamic code generation and additional signals that we can use as input (such as more browser characteristics). For some use cases friendly-lite-server can be the right answer - you probably know your use case and requirements the best. We're happy to chat of course and provide more details (and some auxiliary benefits, like being able to see statistics of solvers, but also help in case there is someone with a budget abusing your website). I hope that I was able to help you with this info!