Ah right, this issue probably also affects the admin login. I see no
other way than to use a webserver extension then.
On 15.11.17 12:32, Adam Johnson wrote:
https://github.com/jsocol/django-ratelimit is good at this, and it's
well maintained so you shouldn't have any problems with upgrading.
It's already tested on Django 2.0.
I agree though that it would be best for security if contrib.auth did
it out of the box. But there are lots of reasons why it's hard to make
it work with all the different environments django gets deployed
under. The summary in django-ratelimit is very good:
https://django-ratelimit.readthedocs.io/en/latest/security.html
(thanks to James Socol and contributors!)
On 15 November 2017 at 11:07, Bernhard Posselt <[email protected]
<mailto:[email protected]>> wrote:
Hi guys,
We've received a report from hackerone.com <http://hackerone.com>
that our password change and login forms are not protected against
brute forcing passwords. Since we re-use both the built-in
password change and login form views from Django it feels like
rate limiting for these views should work out of the box.
Using third-party extensions for this is certainly an option but I
already have trouble to upgrade to newer versions with my existing
7 django extensions and it feels like this feature should be
implemented for every Django installation that uses contrib.auth.
What are your thoughts on this?
regards
Bernhard Posselt
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:django-developers%[email protected]>.
To post to this group, send email to
[email protected]
<mailto:[email protected]>.
Visit this group at
https://groups.google.com/group/django-developers
<https://groups.google.com/group/django-developers>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/7f879db4-1ac7-734d-28d9-952376852db8%40gmail.com
<https://groups.google.com/d/msgid/django-developers/7f879db4-1ac7-734d-28d9-952376852db8%40gmail.com>.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
Adam
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to
[email protected]
<mailto:[email protected]>.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/CAMyDDM1CJ2h1VZiO9B3aDHY98q%3DbQHC0oRjDhYkYDTNqTi2g4A%40mail.gmail.com
<https://groups.google.com/d/msgid/django-developers/CAMyDDM1CJ2h1VZiO9B3aDHY98q%3DbQHC0oRjDhYkYDTNqTi2g4A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/c7b9913a-253f-c32f-5b10-ee59c39abe6c%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
