Skip to content
Quipthread Documentation

Security & Spam Protection

Quipthread applies several layers of protection before a comment is stored. This page describes what is built in and how to handle threats that are better addressed at the infrastructure level.

Built-in protections

Section titled “Built-in protections”

Rate limiting

Section titled “Rate limiting”

Comment submissions are rate-limited per IP address. The default is 5 submissions per 10 minutes. Self-hosters can adjust this via the RATE_LIMIT_COMMENTS environment variable (format: count/duration, e.g. 10/5m).

Heuristic spam detection

Section titled “Heuristic spam detection”

Every comment passes through a heuristic check before being stored. Comments are auto-rejected if they:

  • Contain fewer than 2 characters of plain text
  • Exceed 10,000 characters
  • Contain dangerous HTML (<script>, <iframe>, javascript:, etc.)
  • Exceed the configured link density threshold (SPAM_MAX_LINKS)
  • Contain a run of 10 or more identical characters

Auto-rejected comments are saved with rejected status so you have an audit trail. The author sees “awaiting approval” rather than an error.

Blocked terms

Section titled “Blocked terms”

The Mod Rules tab lets you maintain a list of blocked terms. Any comment containing a blocked term is auto-rejected on submission. See Moderation for details.

Cloudflare Turnstile

Section titled “Cloudflare Turnstile”

Turnstile adds a bot challenge before the comment form is submitted. Configure your site key and secret key in the dashboard under Account → Security. Turnstile runs entirely client-side and does not affect the comment submission UX for real users.

User banning and shadow banning

Section titled “User banning and shadow banning”

Individual users can be banned (hard block) or shadow banned (they see their own comments, other users do not) from the Users tab. Shadow banning is effective against persistent bad actors who would simply create a new account after a hard ban.

IP-level blocking

Section titled “IP-level blocking”

Quipthread does not maintain an in-app IP blocklist. IP blocking is deliberately handled at the infrastructure layer, where it is more effective (blocked requests never reach the application) and more powerful.

Cloud (managed)

Section titled “Cloud (managed)”

Cloud deployments run behind Cloudflare. To block an IP address or range, contact support — blocks are applied at the Cloudflare WAF level and take effect immediately across all traffic.

For your own sites embedding the cloud widget, note that IP blocking applies to requests to app.quipthread.com. If a visitor can reach your page, they can still see existing comments; the block prevents them from submitting new comments.

Self-hosted

Section titled “Self-hosted”

Block IPs at your reverse proxy or firewall before traffic reaches the Quipthread container.

Caddy

@blocked {
    remote_ip 203.0.113.42 198.51.100.0/24
}
respond @blocked 403

nginx

deny 203.0.113.42;
deny 198.51.100.0/24;

Cloudflare (in front of self-hosted)

If you proxy your self-hosted instance through Cloudflare, you can use Cloudflare Firewall Rules or WAF Custom Rules to block by IP, country, ASN, or threat score — without touching your server configuration.