would be nice to have something more
would be nice to have something more built-in. also, afaik requests blocked by the rate limiter, still count towards your quota
14 Replies
If they can't reach you website first they can't make requests. Having a protection on top of your website is the best.
Something like Cloudflare or Vercel protect your app before it's even hit.
I'm pretty sure the only endpoints somebody could hit if he wanted to DDOS your convex is the http.ts file and even this could be protected.
do you know if there's any guide/blog post that explains all that?
Convex Overview | Convex Developer Hub
Introduction to Convex - the reactive database with TypeScript queries
This would help.
HTTP Actions | Convex Developer Hub
Build HTTP APIs directly in Convex
If a query goes through is because the bot is on the web app. Vercel/Cloudflare provide services to block those bot before they can hit you app.
You can also further more protect specific route, functions, page ,etc with captchas (🤮) or Vercel BotID if you are on Vercel
I'm curious, couldn't someone reverse engineer the endpoints and use them from a script?
Also not on vercel, but i'll check it with cloudflare
Which endpoints ? Http or Convex server functions ?
Both
By looking into the websocket connection/requests
Depends on your use case for the Http endpoints. For the server functions, as far as I know, they can only be hit from within your app and that's why the http endpoints exists.
I don't see how the server functions could be limited to only be hit from within the app. I could be wrong though
I'm not an expert in securities but I'm pretty sure token, env variables and CORS are used to limit
afaik not tokens are added by default, unless you use some auth component
not sure about cors tho
cors applies only to requests made through browsers
so repeating a request in another program (eg. postman), will work, even if you have cors implemented
It all depends on what is exposed and how it's exposed