Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change rate limits for various paths #14253

Merged
merged 1 commit into from
Jul 7, 2020
Merged

Change rate limits for various paths #14253

merged 1 commit into from
Jul 7, 2020

Conversation

Gargron
Copy link
Member

@Gargron Gargron commented Jul 7, 2020

  • Rate limit login attempts by target account
  • Rate limit password resets and e-mail re-confirmations by target account
  • Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before

- Rate limit login attempts by target account
- Rate limit password resets and e-mail re-confirmations by target account
- Rate limit sign-up/login attempts, password resets, and e-mail re-confirmations by IP like before
@Gargron Gargron added the security Security issues and fixes, vulnerabilities label Jul 7, 2020
@Gargron Gargron merged commit 81a3db1 into master Jul 7, 2020
@Gargron Gargron deleted the fix-brute-force-login branch July 7, 2020 13:26
@umonaca
Copy link
Contributor

umonaca commented Jul 8, 2020

There are some occasions that multiple devices share the same IP behind NAT. Throttling might break user experience. Also, if the server admin misconfigures Nginx (e.g. behind Cloudflare) and does not forward real ip , most users may be blocked from accessing the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security Security issues and fixes, vulnerabilities
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants