Perfect is the enemy of good (#1)
trying to keep it simple
We have a client who was the target of a sort of brute force attack recently.
Someone ran a bot that repeatedly created accounts, triggering welcome emails en masse. We got the warning from AWS, they blocked our email capabilities shortly as it looked as if we were using AWS email service to spam.
This project has been public for more than 3 years, and it was the first time something like this ever happened (and this is an app that’s seen thousands of organic user sign-ups).
For some specific types of apps, this may be an issue that cannot happen - the business domain may not allow for a downtime of email capabilities. But this incident we just dealt with without too much of a hassle and two days later no one was talking about it - it wasn’t a big deal.
We now implemented restrictions like a captcha for suspicious users (google’s recaptcha v3 is pretty good for this).
It’s always good to find these small things that remind us that it was great that we did not waste a second trying to over-protect a sign up form - it would have been an effort with no value for 3+ years. and that’s the effort of initially building it, and testing it, and re-testing it when we refactor, and slowing down tests in the initial phase because oh, that damned captcha…
I wonder how many more things we didn’t build and we’re never going to need, and how many things we may have built that we’re never going to use.