Add Rack::Attack to block PHP bots (#353)

Oli0li · web-flow · commit 72c55b18a45e · 2025-08-06T21:14:46.000+01:00
diff --git a/Gemfile b/Gemfile
@@ -19,6 +19,7 @@ gem "pagy"
 gem "pg", "~> 1.6"
 gem "propshaft"
 gem "puma", ">= 5.0"
+gem "rack-attack"
 gem "rails", "~> 8.0.1"
 gem "requestjs-rails"
 gem "scout_apm"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -386,6 +386,8 @@ GEM
     raabro (1.4.0)
     racc (1.8.1)
     rack (3.2.0)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-mini-profiler (4.0.1)
       rack (>= 1.2.0)
     rack-session (2.1.1)
@@ -616,6 +618,7 @@ DEPENDENCIES
   pg (~> 1.6)
   propshaft
   puma (>= 5.0)
+  rack-attack
   rack-mini-profiler
   rails (~> 8.0.1)
   rails-controller-testing
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -0,0 +1,11 @@
+class Rack::Attack
+  Rack::Attack.enabled = Rails.env.production?
+
+  Rack::Attack.throttle("requests by ip", limit: 5, period: 2) do |request|
+    request.ip
+  end
+
+  Rack::Attack.blocklist("php-bots") do |req|
+    req.ip if /\S+\.php/.match?(req.path)
+  end
+end
