Testing self-hosted Bitburden 2.13.2.
I made some test using curl commands against POST /identity/connect/token endpoint and I don’t see any rate limiting on the number of attempts.
Do you confirm ?
Why not adding a delay (exponential backoff) on the login endpoint ?
I might be mistaken but isnt that what the KDF Iterations are for is to prevent brute force attacks?
Yes (good point, I didn’t think about it), it is a first level but not enough IMO : manually, I can perform 10 requests / sec… I think about something that could lock app during several secs or even minutes…
The endpoints do block requests after a certain point, you’ll get HTTP 429, for cloud users.
Be nice to our API 
That’s fine but what about self-hosted users ?
It could be done via firewall, etc - depending on hosting configuration.