StackShield

Brute Force Protection

Easy

Tests if login page blocks repeated failed login attempts.

Estimated fix time: 15 minutes

What is Brute Force Protection?

Brute force attacks involve automated attempts to guess user credentials by systematically trying different combinations of usernames and passwords. Without proper protection, attackers can eventually gain unauthorized access to user accounts.

Security Impact

Severity: High

  • Unauthorized account access
  • Credential stuffing attacks
  • Resource exhaustion
  • Potential data breaches

How to Fix

1. Use Laravel's Built-in Throttling

Laravel provides excellent throttling middleware out of the box. Apply it to your authentication routes:

// routes/web.php
Route::post('/login', [LoginController::class, 'login'])
    ->middleware('throttle:5,1'); // 5 attempts per minute

2. Configure Fortify Throttling (if using Laravel Fortify)

// config/fortify.php
'limiters' => [
    'login' => 'login',
],

// app/Providers/FortifyServiceProvider.php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;

RateLimiter::for('login', function (Request $request) {
    $email = (string) $request->email;

    return Limit::perMinute(5)->by($email.$request->ip());
});

3. Add Account Lockout

Implement temporary account lockouts after repeated failed attempts:

use Illuminate\Validation\ValidationException;
use Illuminate\Support\Facades\RateLimiter;

protected function ensureIsNotRateLimited(Request $request)
{
    if (! RateLimiter::tooManyAttempts($this->throttleKey($request), 5)) {
        return;
    }

    event(new Lockout($request));

    $seconds = RateLimiter::availableIn($this->throttleKey($request));

    throw ValidationException::withMessages([
        'email' => trans('auth.throttle', [
            'seconds' => $seconds,
            'minutes' => ceil($seconds / 60),
        ]),
    ]);
}

4. Monitor and Log Failed Attempts

use Illuminate\Support\Facades\Log;

protected function sendFailedLoginResponse(Request $request)
{
    Log::warning('Failed login attempt', [
        'email' => $request->email,
        'ip' => $request->ip(),
        'user_agent' => $request->userAgent(),
    ]);

    throw ValidationException::withMessages([
        'email' => [trans('auth.failed')],
    ]);
}

Verification Steps

  1. Attempt to log in with incorrect credentials 5 times
  2. Verify you receive a throttle error message
  3. Wait for the throttle period to expire
  4. Confirm you can attempt login again
  5. Check logs for failed attempt records

Additional Security Measures

  • Implement CAPTCHA after multiple failed attempts
  • Use two-factor authentication (2FA)
  • Monitor for distributed brute force attacks
  • Implement IP-based blocking for repeated offenders
  • Use password complexity requirements
  • API Rate Limiting
  • CSRF Protection
  • Session Configuration

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

API Rate Limiting

Checks if API endpoints implement proper rate limiting.

Easy

CSRF Protection

Verifies CSRF token implementation on forms and APIs.

Easy

Learn More