On Tuesday, 5 April 2022 at 19:34:54 UTC+5:30 [email protected] wrote: > > - Django doesn't have to store any state of users and/or IP addresses > attempting to log in > > We would still have to keep track of the rate of requests made by each user and/or IP if we want to respond with a > 400 status code for a malicious client who bypasses the disabled button. So in effect this seems like rate-limiting on the backend as well as (somewhat) on the frontend. Plus we would have to maintain some extra bit of JavaScript, and the quirks that come with it.
In my opinion, limiting the rate of requests to a small amount per minute should be a good enough initial solution, and also solves the challenges raised in the discussion so far (to some extent). -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/2969d9d7-d55a-44a1-999a-d987fc29c572n%40googlegroups.com.
