Delay against brute-force

Testing self-hosted Bitburden 2.13.2.

I made some test using curl commands against POST /identity/connect/token endpoint and I don’t see any rate limiting on the number of attempts.

Do you confirm ?

Why not adding a delay (exponential backoff) on the login endpoint ?

I might be mistaken but isnt that what the KDF Iterations are for is to prevent brute force attacks?

Yes (good point, I didn’t think about it), it is a first level but not enough IMO : manually, I can perform 10 requests / sec… I think about something that could lock app during several secs or even minutes…

The endpoints do block requests after a certain point, you’ll get HTTP 429, for cloud users.

Be nice to our API :smile:

That’s fine but what about self-hosted users ?

It could be done via firewall, etc - depending on hosting configuration.