Good practice to limit the number of requests in a session

Hello there :v:

I have a little project in Beta testing in which users can create an account from the front-end and manage an online profile. Nothing too crazy but I want it to be as secure as possible. I’m using an 9 digit code challenge send by e-mail for the login (with 3 trials before blocking the account 1 hour), I followed the kirby guidelines for a safe/secure installation, all data is sanitized, alongside using csrf token and security headers (Thanks bnomei!) and also asked a friend in web security to review my code.

The question
I wanted to know if within the user session there was a way to limit the amount of request per minutes made the users? The goal is not to limit functionnalities, but being able to block or avoid suspicious activities treatening the server (for example a malicious user manage to generate 500’000 requests like super fast…)

I found this on stackoverflow but I was wondering what would be the best practice using Kirby.

Thank you in advance for your tips & tricks! :heart:

Hi. I would block malicious requests by introducing a firewall on network/OS level for throttling the requests on network level and check some basic conditions to block requests from non-desktop/mobile browser clients, e. g. CLIs or some other custom stuff.