我们被随机的 POST 和 GET 轰炸,主要是 500 b/c 的无效真实性令牌(POST):
Started POST "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" for 45.146.165.123 at 2021-06-29 04:15:39 -0400
I, [2021-06-29T04:15:39.769996 #2050] INFO -- : [be4241b9-0494-4fb5-b434-2d11038017f1] Processing by HomeController#index as
I, [2021-06-29T04:15:39.770109 #2050] INFO -- : [be4241b9-0494-4fb5-b434-2d11038017f1] Parameters: {"<?"=>"md5(\"phpunit\")?>", "path"=>"vendor/phpunit/phpunit/src/Util/PHP/eval-stdin"}
W, [2021-06-29T04:15:39.790171 #2050] WARN -- : [be4241b9-0494-4fb5-b434-2d11038017f1] Can't verify CSRF token authenticity.
I, [2021-06-29T04:15:39.833066 #2050] INFO -- : [be4241b9-0494-4fb5-b434-2d11038017f1] Completed 422 Unprocessable Entity in 53ms (MongoDB: 0.0ms)
F, [2021-06-29T04:15:39.916526 #2050] FATAL -- : [be4241b9-0494-4fb5-b434-2d11038017f1]
F, [2021-06-29T04:15:39.916666 #2050] FATAL -- : [be4241b9-0494-4fb5-b434-2d11038017f1] ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
如果我们实施此解决方案:
间歇性 Rails 5 ActionController::InvalidAuthenticityToken
然后我们让机器人知道我们正在重定向。这很糟糕吗?如果是这样,有没有更好的方法来阻止它们,而不会用 500s 淹没我们的 prod 日志?
谢谢,凯文