I go back and forth on this issue. Unlike CSRF, there's never going to
be a one size fits all solution for this type of problem. Different
organizations have widely varying requirements, and while I prefer
rate limits, that won't satisfy the auditor whose checklist requires
permanent lockout after
Ok, we'll go ahead with researching this. Expect to hear back from us
within the next 2-3 weeks (if not this upcoming week)
Thanks,
Rohit
On Mar 5, 8:40 am, Rohit Sethi wrote:
> Hi Russell, here are my thoughts on your points:
>
> 1. I do believe there should be something