mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-13 13:25:19 +02:00
Add rate limiting to login and season-code entry points
Neither /login nor the public season-code guess form (POST /) had any throttling, making both an unlimited brute-force/enumeration oracle. Adds symfony/rate-limiter and enables login_throttling on the main firewall, plus a dedicated per-IP rate limiter on the season-code form.
This commit is contained in:
@@ -27,6 +27,8 @@ security:
|
||||
remember_me:
|
||||
secret: '%kernel.secret%'
|
||||
lifetime: 604800 # 1 week in seconds
|
||||
login_throttling:
|
||||
max_attempts: 5
|
||||
|
||||
access_control:
|
||||
- { path: ^/admin, roles: ROLE_ADMIN }
|
||||
@@ -43,3 +45,7 @@ when@test:
|
||||
cost: 4 # Lowest possible value for bcrypt
|
||||
time_cost: 3 # Lowest possible value for argon
|
||||
memory_cost: 10 # Lowest possible value for argon
|
||||
firewalls:
|
||||
main:
|
||||
login_throttling:
|
||||
max_attempts: 2
|
||||
|
||||
Reference in New Issue
Block a user