@angristan tl;dr a forged X-Forwarded-For header can be used to bypass rate limit for brute forcing the code

@angristan hm this is probably a bigger issue than just a bypass, if you parse the x-forwarded-for header the wrong way then clients can just lie about their source ip address. That’s problematic not just for 2fa brute force

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!