since the endpoints for creating leads and carts are public, this is an easy source for a ddos attack or atleast for somebody to fill up the databse with trash.
usiong a browser fingerprint is a good solution for this.
Even though fingerprint js is only 40-60% accurate, which is not good enough to use as a source for the lead ID, this is more than good enough for rate limiting.
if you distribute that 40-60% accuracy into a 10 minute window, the probability that a unique lead acceses the site with the same fingerprint as another lead in the same 10 minute window is very very small.
since the endpoints for creating leads and carts are public, this is an easy source for a ddos attack or atleast for somebody to fill up the databse with trash.
usiong a browser fingerprint is a good solution for this.
Even though fingerprint js is only 40-60% accurate, which is not good enough to use as a source for the lead ID, this is more than good enough for rate limiting.
if you distribute that 40-60% accuracy into a 10 minute window, the probability that a unique lead acceses the site with the same fingerprint as another lead in the same 10 minute window is very very small.