https://github.com/jsocol/django-ratelimit is good at this, and it's well maintained so you shouldn't have any problems with upgrading. It's already tested on Django 2.0.
I agree though that it would be best for security if contrib.auth did it out of the box. But there are lots of reasons why it's hard to make it work with all the different environments django gets deployed under. The summary in django-ratelimit is very good: https://django-ratelimit.readthedocs.io/en/latest/security.html (thanks to James Socol and contributors!) On 15 November 2017 at 11:07, Bernhard Posselt <[email protected]> wrote: > Hi guys, > > We've received a report from hackerone.com that our password change and > login forms are not protected against brute forcing passwords. Since we > re-use both the built-in password change and login form views from Django > it feels like rate limiting for these views should work out of the box. > > Using third-party extensions for this is certainly an option but I already > have trouble to upgrade to newer versions with my existing 7 django > extensions and it feels like this feature should be implemented for every > Django installation that uses contrib.auth. > > What are your thoughts on this? > > regards > > Bernhard Posselt > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ms > gid/django-developers/7f879db4-1ac7-734d-28d9-952376852db8%40gmail.com. > For more options, visit https://groups.google.com/d/optout. > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM1CJ2h1VZiO9B3aDHY98q%3DbQHC0oRjDhYkYDTNqTi2g4A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
