Hi everybody please would like to known some experience about the rules or policiy that must have for protection a portal login web and api.
Hi Good Morning
Unfortunately, every environment have your particular issue. For those that don´t have the ATO license, I normally create A Manual Rate-Limit Rule on specific Login page, however, an motivated attacker can lower their rate and bypass your Rate-Limit. (That´s Why the ATO feature to me is a "must have"). the values of rate-limit depends in how many requests do you see per minute.
PS: I use the "exact" string on login endpoint, some customer here, use the same endpoint after logged in, if you use "contains" the counter is still running even a successful authentication causing unwanted blocks.
For API , be aware with OPTION method. they normally flood the Log because most devs don´t specify them on API Specifications. otherwise you can put the same filters above on TOKEN request/authentication. The secret is coordinate with customer to check the best approach of user logins/ some marketing campaign and a real situation of Brute Force.
You life will be more easier with ATO or even a well configured ABP.
If you can, add a 2FA
It depends on the use case and we have a way in the form of custom rules to mitigate the bad actors.
We also have various features that give us more insight and protect the environment.
You can explore more of our features on the below portal for cloud WAF