Implement tiered rate limiting: Strong for sign-up/login, moderate for posts, and general defense. Custom middleware assigns tiers.

Implement rate limiting for server resource management and user experience.

Applying Rate Limiting 

[00:00] So let's open up our server. And we're going to take this config and make a variable called our rate limit default. Stick that right there. And then we're going to create three different rate limit middlewares. So these are the three. And it's going to be rate limit.

[00:19] We'll pass our config. And each one of them will have basically the same thing. So we'll have the rate limit default. But then for the strongest rate limit, we're going to say you only get 10 of these kinds of requests. And then for our strong, or just a relatively strong, a little less strong, but still strong,

[00:38] we're going to give them 100 per minute, per client, per IP address. And then for our general one, we'll actually just do the rate limit default. So that's everything else that's our current behavior now.

[00:53] So with that then, we can make our own middleware here with a rec, res, and next. And with that now, we can add a little bit of our own logic. So we'll return a call to general rate limit.

[01:12] That is our general middleware with rec, res, and next. So that's kind of our fallback, if nothing else applies. And then we need to determine, is this a non-get and non-head request? Because head requests are get requests as well.

[01:27] So we can say, if the rec.method is not equal to get, and rec.method is not equal to head, then that applies to our strong rate limit. So these are basically the POST requests. Anything that's going to do a mutation. It's something that users probably wouldn't do more than 100 times a minute.

[01:46] And so then we're going to return the strong rate limit there. But on top of that, we have the strongest rate limit, which will apply to our especially vulnerable URLs like slash signup. And eventually, we can add more of those. So we're going to make a strong paths. And this is going to be signup.

[02:04] And again, you could add more there later. And so if it's a non-get, non-head, then we can check if it's a strong paths.sum. And so if the path not just starts with, it would say if it includes that path. So if the request that's being made

[02:24] includes one of our strong paths, then we're going to return the strongest rate limit with the rec.res.next. And there we go. Now, to test this out, we are currently running in a testing environment because we are running with development mode turned on.

[02:41] So I'm going to turn off the max multiple here. And we will change this to a max of two. So if you make two requests within one minute, our window MS, then we're going to say that's too many. So just to test it out.

[02:58] So we say here, a at b.com. Back it up, a at b.com. That's two. That was fine. And now here's our third, a at b.com. And kablooey, too many requests. Please try again later. Again, you can customize that error message and all of that. So we've got our expected behavior.

[03:17] The other cool thing is you notice I refresh. That's a get request to sign up. So we don't want to just protect sign up completely from all requests. That's why we have this special check here. But if I try again, it's not been a minute yet. So I'm going to get too many requests again. So I will have to wait. Eventually, I will be able to get through, but I will have to wait.

[03:36] So that is what that experience is like for a user who is trying to sign up for too many accounts. And this is definitely a good idea to apply to any of your public endpoints, but also even your authenticated endpoints, because a user could get an account, like a nefarious user could get an account and then start hitting your APIs a bunch and costing you a bunch of money and whatever.

[03:56] So you want to add rate limiting regardless of whether it's authenticated or not. And you want to especially add extra strong rate limiting to those that are especially problematic for you. Like if you're going to send an email, don't let people just send a gajillion emails out. That'll really hurt your deliverability, just for example.

[04:14] So in review, we have this basic rate limit default. And then we have three tiers. And of course, you can have more, and you can have all sorts of different logic around this. But we've got three tiers of these rate limits. And then we have our own little middle bear that adds a little bit of logic around which

[04:32] one of these tiers these requests should apply to. And with that, we are pretty well protected. So that's adding rate limiting to your web app.

Tiered Rate Limiting with Custom Middleware

[00:00] There's a really big difference between a user on the homepage just refreshing a bunch of times, hoping they see their notifications or whatever they're looking for, and a user going to the sign up page or the login page and entering some bogus stuff and trying to guess a user's password, right? I'm okay with a user trying to refresh and get their notifications. That does happen

[00:19] sometimes. But if a user tries to sign up like 30 times in a minute, there's probably something fishy there. Or if a user tries to log in like 100 times in a minute, yeah, that's probably also quite fishy. And so we want to block that sort of behavior. So rather than just having a single

[00:38] rate limit, it actually makes sense to have kind of a tiered rate limit where you have the strongest rate limit for things like sign up and login. And then you have a relatively strong rate limit for post requests that people typically don't make a lot of post requests in web apps.

[00:53] Sometimes they do. So this is going to be fine-tuned based on your particular app. But then the other will be for just the general rate limit that protects against people sending a script at your app and just trying to take your app down. So your task is to create those

[01:11] three different tiers and to create your own little mini middleware that will do some of that checking to know which one of these tiers to call into. So give that a whirl and we'll see you when you're done.

Forms are the primary mechanism for interactivity on the web.

But for all of their importance, forms can be incredibly frustrating for developers and users alike.

There are a lot of moving parts to consider: 

You need to validate user input and handle complex data structures, while being secure from bots and data-stealing attacks. The UI should inform users of any issues as quickly as possible, and be accessible for all.

The Professional Web Forms Workshop will equip you with the tools to handle all of these challenges and more.

## Form Validation

HTML has several attributes built-in that help with form element validation. Unfortunately, they're not enough on their own. On the client-side, bad actors can bypass checks by manually adding the `novalidate` attribute or making requests directly. On the server side, there's no standard way to respond to validation errors other than a generic 400 status code.

In this section, you'll implement a base level of form validation:

- Essential HTML attributes for validation
- Server-side validation with JSON responses
- Displaying errors with the `useActionData` hook
- Disabling default browser validation messages with `useHydrated`

## Accessibility

Accessibility is often an afterthought, but should be a priority. While forms are just one part of the accessibility equation, they're a big one. In this section, you'll learn how to make sure your forms accessible and usable by all of your application's users:

- Properly associating labels with input fields
- Adding appropriate ARIA attributes when necessary
- Manage keyboard focus in response to errors and user interactions
- Creating and using a `useFocus` hook to direct the user’s focus
- Considerations for accessibility testing

## Schema-Based Validation

Manually writing conditional checks for every field in every form is tedious and error-prone: *Is there content in the field? Is it the right type? Is it within the acceptable range? There must be a better way!*

Fortunately, the combination of the Zod and Conform libraries makes it easy to define reusable declarative schemas to validate form data on the client and server:

- Safely replace HTML validation attributes with schemas
- Zod error handling & message customization
- Progressively enhanced validation with Conform
- Share type-safe validation logic between client and server

## File Uploads

Forms need to support more than just text. Images, videos, audio files, and other documents need a different type of input. Depending on the size of the file, you'll have considerations for how and where it is uploaded. In this section, you'll learn how to handle file uploads in a secure and efficient way:

- Uploading images from an `ImageChooser` component
- Handling file uploads on the server
- Schema validation for file uploads with Zod

## Complex Data Structures

The `FormData` API does not support representing objects or arrays– only key/value pairs. It also won't allow you to nest forms within each other. This makes representing complex data structures difficult without jumping through some hoops. Luckily for us, Conform has a great solution when your forms get complex. Here you'll practice:

- Infer field types with Zod
- Nesting objects as a form
- Represent arrays of fields with the `useFieldList` utility
- Add and remove items with Conform's `intent` buttons

## Spam Prevention with Honeypots

Spam bots are constantly crawling the web, looking for forms to submit junk data to boost their client’s search engine rankings and find holes in your security. This can strain server resources, contaminate databases, and cause other unforeseen consequences. One way to combat this is by using a "honeypot", which will prevent a form from being submitted by a bot. This section will teach you how to:

- Create a simple hidden-field validation
- Add a configurable honeypot instance to an action
- Prevent form submissions that are too fast
- Use environment variables for encryption seeds

## CSRF Protection

Cross-Site Request Forgery (CSRF) attacks are a type of malicious exploit where a user is tricked into performing an action they did not intend to. This is usually done by embedding a link or form in a page that the user is already authenticated to. Think of a user logged into their bank account clicking a link that transfers money from their bank account to the attacker's. To prevent this type of attack, you'll want to:

- Create a signed cookie in the user's browser
- Include unique user tokens in forms
- Validate tokens on the server via request headers

## Rate Limiting

You definitely want to prevent bad actors from making tons of requests to try to brute-force their way into your app or cause general chaos. However, malicious intent and spam aren't the only reasons you need to protect your site. Even too many legitimate requests can cause problems. Rate limiting is a way to prevent users from overloading your server with requests. Here you'll learn:

- Considerations for different limits for `GET` vs. `POST` requests
- Implementing basic rate limiting with Express middleware
- Tiered rate limiting depending on which form is being submitted

The Professional Web Forms Workshop will equip you for building complex, fully accessible forms that handle validation and file uploads while preventing spam.

Professional Web Forms

Kent C. Dodds

Full Stack Vol 1

Intro to Professional Web Forms Workshop

Introduction to Workshop

Intro to Form Validation 

Discover the importance of validation in web apps. Learn to implement required field validation for data integrity and UX enhancement.

Leverage HTML attributes for form validation, enhancing UX and accessibility. Explore browser validation and screen reader integration for user guidance.

Form Validation for Accessibility

Required Field Validation for User Input

Implement server-side validation to enhance security and user assistance, preventing client-side bypass. Customize error messages for a seamless design.

Master server-side form validation for data integrity and user-friendly error messages. Enhance UX by securely validating input before server processing.

Server-Side Form Validation and Error Handling

Server-side Validation and Custom Error Messages

Prevent incorrect form submissions pre-JavaScript with novalidate attribute using useHydrated hook. Elevate UX, maintain data integrity.

Optimize form validation with 'useHydrated' hook for client-side hydration. Enhance UX with browser-built and server-side validation synergy.

Form Validation with Client-Side Hydration

Dynamic Error Validation with Hooks

Dad Joke Break From Validation

Form Validation

Intro to Accessibility

Learn how to troubleshoot and fix issues with a non-functioning reset button and accessibility problems in a web form.

Learn how to properly associate buttons and form elements, such as the reset button, with their respective forms for improved functionality and accessibility.

Improving Accessibility and Form Associations

Fixing Form Reset Button and Accessibility Issues

Associate error messages with input fields via ARIA attributes for precise screen reader notifications. Learn about semantic HTML and ARIA for accessibility.

Use ARIA attributes like ARIA invalid & describedby. Link error messages to inputs for improved screen reader support, aiding assistive tech users.

Accessible Forms with ARIA Attributes

Error Messages and Accessibility with ARIA Attributes

Enhance app accessibility & UX with focus management: auto-focus error fields, programmable forms, & better editing. Create an inclusive, user-friendly app.

Enhance React app accessibility and UX: auto-focus form inputs and navigate to error messages for improved handling of form errors.

Managing Focus for Form Errors

Focus Management for Better User Experience

Dad Break Joke Accessibility

Accessibility

Intro to Schema Validation

Optimize development with Zod schema validation. Boost efficiency and code robustness, replacing custom logic for an enhanced developer experience. 

Learn how to implement schema validation using Zod in a note editor application. Discover how to define and enforce data

Schema Validation with Zod 

Schema Validation 

Data parsing with Conform's Conform utility. Apply server-side logic and streamline development with additional UI utilities for efficient form handling.

Improve UX & enable progressive enhancement: Replace form validation & error handling with powerful Zod utility in your app

 Form Submission and Error Handling with Conform & Zod

Form Data Parsing with Conform

Enhance UI with Conform's React utilities for end-to-end type safety. Leverage progressive enhancement for a fabulous development experience.

Eliminate custom code for better UX. Seamlessly manage form submission and client-side validation with Conform, ensuring robust server-side validation

Simplifying Form Handling with Conform and Schema Validation

Type Safety with Conform

Dad Joke Break Schema Validation

Schema Validation

Intro to File Upload

Add file upload to edit page for user-friendly image & file attachments. Handle uploads in Remix, enforcing size limits. 

Integrate image upload with form data and memory handling. Use image chooser, manage existing images, set encoding, size limit, and specify alt text. 

Image Upload with Form Data and Memory Upload Handling

File Upload Functionality 

Improve code quality and address TypeScript errors for a robust application, making Lily the life jacket (and yourself) happy.

Update schema for image ID, alt text, and file uploads. Master file validation with Zod for size restrictions and error handling on client & server sides. 

Validating File Uploads with Zod Schema in a Web Application

TypeScript Integration

Dad Joke Break File Upload

File Upload

Intro to Complex Structures 

Address challenges in grouping properties into sub-objects in forms, especially for multiple image uploads. Satisfy Zod's requirements for seamless integration.

Learn to add image field set schema to Zod schema, update HTML elements, and integrate with Conform for type safety and form functionality. 

Implementing Image Field Set with Conform and TypeScript

Grouping and Managing Related Fields in Form Objects

Update your app's schema for multiple images, adapt actions/components, and enable seamless addition/removal of multiple images for an enhanced user experience.

Master dynamic image lists with Qualifax: add and remove images effortlessly. Update schema, implement field sets, and iterate through image choosers with ease.

Dynamic Image Lists with Field Sets 

Multiple Image Uploading 

Dynamic image addition and deletion with alt text functionality, progressive enhancements, and input submission using Conform utilities in web development

Master dynamic button generation for form accessibility using Conform utilities. Modify field sets with list functions, explore progressive enhancement.

Dynamically Delete and Add Buttons

 Interactive Image Management

Dad Joke Break Complex Structures 

Complex Structures

Intro to Honeypot

Add a hidden input field honeypot to deter spam bots, enhance deliverability, and prevent spam issues. Explore additional tips for form security.

Boost sign-up form security with invisible honeypot fields to catch spam bots. Discover effective techniques for handling bot submissions in your app.

Honeypot Fields in Sign Up Forms

Adding a Honeypot to Protect Against Spam Bots

Protect your website from spam bots with automatic updates to Honeypot configurations.

Enhance security with Remix Utils Honeypot fields. Customize divs, ARIA, and server-side validation to deter spam. Best practices for errors and HTTP codes.

Honeypot Fields for Form Security

Honeypot Protection with `remix-utils`

Efficiently implement Honeypot security on forms: Transfer server data to client for reliable bot protection.

Implement honeypot protection: Create provider, configure props, render components, prevent quick form submission, thwart automated bots.

Honeypot Protection

Honeypots for Form Security 

Ensure consistent Honeypot encryption secret across servers and regions for form data integrity and conflict avoidance

Securely add honeypot secret to server validation, configure in local .env for data protection.

Setting Up Honeypot Security for Server Environment Variables

Consistent Encryption with Honeypot Server

Dad Joke Break Honeypot

Honeypot

Intro to CSRF

Implement CSRF protection: Generate tokens, set secure cookies, associate with clients, and use environment variables.

Implement Node.js CSRF utility: Generate tokens, secure cookies, prevent cross-site request forgery attacks.  

Creating and Managing CSRF Tokens With Node.js

CSRF Protection with Cookies 

Protect user data with authenticity tokens: Render, verify, and enhance user experience.

Secure forms with Authenticity Token input and CSRF validation for protection against tampering. Improve security and error responses.

Security with Authenticity Token and CSRF Validation

Authenticity With Token Protection 

Dad Joke Break CSRF

Cross-Site Request Forgery

Intro to Rate Limit 

Learn how to implement rate limiting middleware in Express for efficient resource management in your server.

Professional Web Forms

Professional Web Forms

Transcript

Tiered Rate Limiting with Custom Middleware

Transcript