- Issue created by @prudloff
- 🇫🇷France prudloff Lille
This module does something similar: https://www.drupal.org/project/protect_form_flood_control →
Contrib modules often forget to protect sensitive forms (where you need to input a password or any kind of secret to submit) against brute force.
We should make it as easy as possible to protect a form against brute force.
The flood service is very useful but still requires writing some custom logic.
We probably can't detect when a form needs brute force protection but maybe we could have something similar to the _csrf_token requirement with sensible default values for duration and number of tries.
Another problem is that we might not be able to know what should trigger FloodInterface::register() (the form submission could fail for reasons unrelated to a bad password).
We could register an event every time the form validation returns an error but this might risk blocking legitimate users?
Active
11.0 🔥
forms system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
This module does something similar: https://www.drupal.org/project/protect_form_flood_control →