Hit limit question

The browser validation system makes it a bit more complicated, but it won’t stop a dedicated attacker.

It sounds like this is a problem that could be solved with IP based rate limiting, but I haven’t seen anyone ever hit such a thing on free hosting, so I’m not sure if such a feature exists, or why it doesn’t.

I’d argue the opposite. We disabled sleep because it makes sites easy to flood.

PHP is a single process programming language. For every request coming in, a separate process is created, and while that request is being processed, the process is alive. Every running process consumes CPU and memory, so more concurrent processes means more server load.

There have been times when the client area was completely inaccessible due to high load. Not because a lot more processing was being done, or because more traffic was coming in, but because the hosting platform had an issue and all API calls were hanging. This caused the number of concurrent processes to shoot up and overwhelm the system.

An attacker can just compensate for it by having more concurrent requests. Or even start the request, and then cancel the request on their end, leaving their system free to send another request while the server is still generating a response.

(Invisible) ReCaptcha only works on forms, not entire sites. But the client area also has it on the login page, primarily to stop brute force attacks, and it’s really effective at that.

Server hardware costs a lot of money. Energy costs money too. The global chip shortage affects the server market too. And the current energy crisis in Europe also affects datacenters.

Sure, staff usually costs a lot more. But server space is most definitely not free either.

That sounds like device fingerprinting. It’s a fairly effective way to track people. But again, we’re not really interested in how many people visit your website, only the load it generates on the servers.