General question surrounding fraudulent orders. One of our clients' stores has gotten a large amount of fraudulent orders recently (126 this weekend alone), all for the same price amount and on the same product it looks like. Are there any known Solidus vulnerabilities that bots/bad actors might be leveraging? Also are there any good known ways to combat this? We have Signifyd on this store to help catch them, but not sure if there are any best practices or good tools that could block them before they get placed. First thought was maybe adding reCaptcha v3 to checkout somehow.

Cloudflare's captcha can be effective for mitigating them. If they all come from the same IP you can always try something like rack-attack (which is good to run for also protecting against things like password brute force attempts).

Ah cool. Since they're using Cloudflare already, I'll play around with the security settings in here. Currently the security level is set to "essentially off" so will turn that up and also going to toggle on the "Bot fight mode" setting to see if these help. If not, will probably need to look at implementing that rack-attack gem. Thanks for the tips!

we're using AWS WAF with geo blocking and rack-attack to try to mitigate the attacks, frauds, etc in some of our rails apps, it's relative easy to add and helps a lot

Awesome, thank you. We're using Hatchbox, but sounds like another vote for rack-attack.

When you’re adding Cloudflare / WAF rules or even rack attack, remember to add any external system IPs that may be hitting the Solidus API endpoints to an allow list, otherwise they may get blocked if they are making requests in bursts 🙂

Good point. Thanks for the tip.

I definitely have seen someone misconfigure rack-attack such that it thought health checks were automated attacks, blocked them... causing the boxes to all get removed from the load balancer... and taking the website down.

Yeah, best to exclude the health-check endpoint altogether probably 😄