Add rate limiting to login and season-code entry points

Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.
This commit is contained in:
2026-07-13 09:56:39 +02:00
parent cd293aa86f
commit 89e7dd09ba
9 changed files with 169 additions and 8 deletions
+6
View File
@@ -27,6 +27,8 @@ security:
remember_me:
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
login_throttling:
max_attempts: 5
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
@@ -43,3 +45,7 @@ when@test:
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon
firewalls:
main:
login_throttling:
max_attempts: 2