rate_limiter: Limit the amount of password reset emails to one address.

This limits the possibility to use the password reset form to make us spam an email address with password reset emails.
2025-10-23 04:52:12 +00:00 · 2019-12-30 21:13:02 +01:00
parent 0f61d590cc
commit 7c78d8a966
3 changed files with 64 additions and 2 deletions
--- a/zproject/settings.py
+++ b/zproject/settings.py
@@ -360,6 +360,10 @@ RATE_LIMITING_RULES = {
    'authenticate': [
        (1800, 5),  # 5 login attempts within 30 minutes
    ],
+    'password_reset_form_by_email': [
+        (3600, 2),  # 2 reset emails per hour
+        (86400, 5),  # 5 per day
+    ],
 }

 RATE_LIMITING_MIRROR_REALM_RULES = [