Make existence checks asynchronous to prevent enumeration

takeaway 3 connections

On registration, password-reset and confirmation forms, do not check account existence synchronously. Schedule a Sidekiq job that either sends a 'reset your password' email if the account exists or a 'confirm your account' email if it doesn't. The HTTP response takes constant time, defeating timing-based enumeration attacks. Doesn't work for login — use rate limiting there.

type

recommendation

takeaway Make existence checks asynchronous to prevent enumeration

about

Timing-Based Enumeration concept

Prevents timing attacks by constant-time responses.

takeaway Make existence checks asynchronous to prevent enumeration

about

Sidekiq tool

Uses Sidekiq background jobs as the mechanism.

takeaway Make existence checks asynchronous to prevent enumeration

from_talk

Devise pitfalls and way to tighten security talk

Core mitigation for timing-based enumeration.

Provenance

Created in: Devise pitfalls and way to tighten security — Rafał Rothe... 2026-04-17 21:52