Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Place throttles close to the code they are protecting #64

Open
eliotsykes opened this issue Aug 27, 2019 · 0 comments
Open

Place throttles close to the code they are protecting #64

eliotsykes opened this issue Aug 27, 2019 · 0 comments

Comments

@eliotsykes
Copy link
Owner

eliotsykes commented Aug 27, 2019
edited

Prefer placing throttles nearer to your vulnerable code, as they are less likely to be bypassed due to developer forgetfulness.

For example:

  1. Developer protects all API v1 endpoints authentication from brute force attacks with a throttle in your rack attack initializer.
  2. Developer introduces API v2 endpoints that use the same authentication code (User.authenticate) as API v1, but forgets to add a corresponding throttle to the rack attack initializer for the new endpoints.
  3. API v2 is vulnerable to brute force attacks.

If the throttle had instead been placed in User.authenticate, then API v2 would have been protected from brute force attacks and developer forgetfulness.

Relevant discussion and ideas for using rack attack throttles outside of the initializer: rubygems/rubygems.org#2088 (comment)
@eliotsykes eliotsykes changed the title Place throttles close the code they are protecting Place throttles close to the code they are protecting Aug 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eliotsykes