mirror of
https://github.com/MarijnDoeve/TijdVoorDeTest.git
synced 2026-07-13 13:25:19 +02:00
89e7dd09ba
Neither /login nor the public season-code guess form (POST /) had any throttling, making both an unlimited brute-force/enumeration oracle. Adds symfony/rate-limiter and enables login_throttling on the main firewall, plus a dedicated per-IP rate limiter on the season-code form.
34 lines
1.0 KiB
YAML
34 lines
1.0 KiB
YAML
# see https://symfony.com/doc/current/reference/configuration/framework.html
|
|
framework:
|
|
secret: '%env(APP_SECRET)%'
|
|
|
|
# Note that the session will be started ONLY if you read or write from it.
|
|
session: true
|
|
form:
|
|
csrf_protection:
|
|
enabled: true
|
|
#esi: true
|
|
#fragments: true
|
|
rate_limiter:
|
|
# Throttles guesses against the public season-code entry point (config/packages/security.yaml
|
|
# handles throttling for the backoffice /login form separately).
|
|
season_code:
|
|
policy: sliding_window
|
|
limit: 20
|
|
interval: '1 minute'
|
|
when@prod:
|
|
framework:
|
|
# shortcut for private IP address ranges of your proxy
|
|
trusted_proxies: 'private_ranges'
|
|
# or, if your proxy instead uses the "Forwarded" header
|
|
trusted_headers: [ 'x-forwarded-proto' ]
|
|
|
|
when@test:
|
|
framework:
|
|
test: true
|
|
session:
|
|
storage_factory_id: session.storage.factory.mock_file
|
|
rate_limiter:
|
|
season_code:
|
|
limit: 3
|