Home / Rate Limiting

Rate Limiting

Web applications that include form submissions can be vulnerable to brute-force submission attacks that submit the form many times. Many web app vulnerability scanners test web forms by injecting various values and submit the forms to see if there are any possible exploits. The scanner may try many different values, resulting in submitting the form many times.

Attackers can exploit these vulnerabilities, and cause denial of service conditions on the application or associated systems.

Forms that are used to notify an email address are especially sensitive to this, as excessive form submission can cause email floods to inboxes or shared mailboxes.

The solution to protecting your web application forms from both attackers and vulnerability scanners is to implement some verification or limitation on form submissions:

Here are a few ways you can protect your web forms like RSVPs or information request/feedback pages:

reCaptcha from Google:


Drupal modules

Edit the email field in the web form and check both the "mandatory" and "unique" options. That way, it will not accept more than 1 submission with the same email address