We have created paranoid mode to avoid enumerating users. First, if you don't know anything about user enumeration, take a look at this reference:
If you use Paranoid-mode on Devise, you're protected against user enumeration on confirmable, recoverable and unlockable modules, but not on registerable. One of the validations on creating a new user is for it to have an unique e-mail or login. So, we can't add a response that s to the register controller because the user will not know if his account was created or not.
There are two solutions that are very common in the internet, that should stop robots doing the enumeration:
Of course, it only stops robots doing a lot of requests. There is no way to stop anybody doing an enumeration by hand.
In order to use the parameter, you have to turn on the paranoid mode on your devise.rb, like this:
Devise.setup do |config| config.paranoid = true end