Project

General

Profile

Feature #40914

Feature #40907: mgr/dashboard: REST API improvements

mgr/dashboard: REST API: security

Added by Ernesto Puerta over 1 year ago. Updated 24 days ago.

Status:
Fix Under Review
Priority:
Normal
Category:
dashboard/backend
Target version:
-
% Done:

0%

Source:
Tags:
security
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

The following measures should be implemented:
- Failed login limit (after that, the user will be disabled).
- Rate limiting: per-user/token.
- Cache-control private for every response containing personal sensitive information.


Related issues

Related to mgr - Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts New
Blocks mgr - Feature #47765: mgr/dashboard: security improvements New

History

#1 Updated by anurag bandhu 7 months ago

  • Assignee set to anurag bandhu

#2 Updated by Lenz Grimmer 7 months ago

  • Related to Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts added

#3 Updated by Lenz Grimmer 7 months ago

Per our conversation during today's standup, let's split this issue up by moving "Rate limiting: per-user/token" and "Cache-control private for every response containing personal sensitive information" into separate issues and keep the focus of this issue on the limiting failed logins. However, I wonder if this isn't captured in #39999 already?

#4 Updated by Ernesto Puerta about 2 months ago

  • Tags set to security

#5 Updated by Ernesto Puerta about 2 months ago

#6 Updated by Aashish Sharma 24 days ago

  • Assignee changed from anurag bandhu to Aashish Sharma

#7 Updated by Aashish Sharma 24 days ago

  • Pull request ID set to 37912

#8 Updated by Aashish Sharma 24 days ago

  • Status changed from New to Fix Under Review

Also available in: Atom PDF