|
|
|
|
|
|
by emedchill
968 days ago
|
|
|
- use CSRF tokens - route throttling to something high since if they are new users they shouldn't need to hit that form more than once - don't let the end user know that you were able to send an email. Keep it vague like "if your email exists, you should receive an email soon." - don't use a personal email server; something like sendgrid can give you a server that is in good/neutral standing - if you have to handle your own emails, keep up with any bounce backs and always keep an eye your server being on any blacklists to get it cleared out as soon as possible - honeypots can be useful if the spammer(s) isn't keeping a close eye on their scripts - put your site behind a DDoS service |
|
|
I need to stress this is a very important point. If you happen to state the email they entered already exists in the system, the attacker now knows that is a valid account then use a known password linked to that email to gain access.