gem 'rack-attack'
gem 'rack-cors'

1. rack-attack 可以根据ip、域名等设置黑名单、设置访问频率

• 设置黑名单

# 新增 config/initializers/rack_attack.rb
# 请求referer如果匹配不上设置的allowed_origins，返回403 forbidden
Rack::Attack.blocklist('block bad domains') do |req|
  next if !req.path.start_with?('/admin_api/') || Rails.env.test?

  Rails.application.credentials.allowed_origins.none? {
    |r| Regexp.new(r) =~ req.referer }
end

# EDITOR="vim" bin/rails credentials:edit
allowed_origins