You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's no rate-limiting built into the API.
Right now it's possible to freely brute-force login, both with a known existing user (only brute-forcing the password) as well as a "clusterbomb" brute-force where both user and password is guessed.
It doesn't necessarily have to be implemented in the API since nginx can do it on an IP-basis and that may be enough.
But that has to be configured and used in any production environment.
The text was updated successfully, but these errors were encountered:
There's no rate-limiting built into the API.
Right now it's possible to freely brute-force login, both with a known existing user (only brute-forcing the password) as well as a "clusterbomb" brute-force where both user and password is guessed.
It doesn't necessarily have to be implemented in the API since nginx can do it on an IP-basis and that may be enough.
But that has to be configured and used in any production environment.
The text was updated successfully, but these errors were encountered: