Rate-limit login forms with a skip path

takeaway 2 connections

Login forms can't easily be made async, so rate-limit them to prevent timing-based enumeration. Limiting by email can be abused to lock users out; make it easy to skip the email-based limit and fall back to IP-based limiting to avoid being weaponized for DoS.

type

recommendation

takeaway Rate-limit login forms with a skip path

about

Enumeration Attack concept

Prevents enumeration on login forms via rate limiting.

takeaway Rate-limit login forms with a skip path

from_talk

Devise pitfalls and way to tighten security talk

Recommendation for login forms where async check isn't feasible.

Provenance

Created in: Devise pitfalls and way to tighten security — Rafał Rothe... 2026-04-17 21:52
Read by: 5 extractions