Rate Limiting Login Attempts Without Locking Anyone Out
Unlimited password guesses is a breach schedule; hard lockouts are a denial-of-service gift. The middle path: counting failures per account AND per IP, with exponential delays.
Software Engineer
I build web applications and share what I learn along the way.
Step-by-step programming tutorials on PHP, JavaScript, Laravel, WordPress and more.
Unlimited password guesses is a breach schedule; hard lockouts are a denial-of-service gift. The middle path: counting failures per account AND per IP, with exponential delays.
A hidden token, a session comparison, a header for AJAX - the whole defense is 30 lines of PHP and JS. Build it once by hand and framework CSRF errors stop being mysterious.
Streaming big files through readfile ties up a PHP worker per download. The offload headers let PHP do the auth check, then hand the actual bytes back to the web server.
The options-array setcookie signature made secure cookies writable in one call - and the __Host- name prefix gets the browser itself to enforce your security flags.
Prepared statements stop SQL injection - but % and _ sail straight through into LIKE patterns, letting users dump whole tables or run pathological scans. The fix is three characters of escaping.
Mass-assignment bugs happen when request data flows unfiltered into updates. Two array functions - intersect_key and diff_key - are the terse, auditable filter.
Math.random-based IDs collide more than you think and are predictable by design. The browser ships a real UUID generator and a cryptographic random source - both one-liners.
Comparing secrets with === leaks how many leading characters matched, one microsecond at a time. hash_equals exists for exactly this, and knowing when to use it is the whole trick.
A PHP script renamed to photo.jpg sails past extension checks. finfo reads the actual bytes. Here is the upload validation layer cake that actually holds.
That html`...` syntax in lit and friends is not magic - it is a plain JavaScript feature you can use to build an XSS-safe HTML helper in fifteen lines.