Flooding prevention

In this article we explain how your system is protected from flooding. Flooding is caused by sending a high number of requests to server in such a manner that the server is struggling to handle the load. The system now restricts these requests according to the following rules. 

login

Registered, guest- and admin users can try to login 10 times before being delayed by the system.

  • After 10 failed login attempts the customer needs to wait 10 seconds before trying to login again.
  • After 15 failed login attempts it's 30 seconds.
  • After 20 failed login attempts it's 60 seconds.

After a successful login or after 24 hours without a failed login the limit is reset.

Contact form

The customer can send 3 contact forms in succession before being delayed by the system. 

  • After sending 3 contact forms the customer needs to wait 30 seconds before he can send the next form.
  • After sending 5 contact forms it's 60 seconds.
  • After sending 10 contact forms it's 90 seconds.

After 24 hours the limit is reset.

Password reset

Storefront and admin users have 3 trys to reset there password before being delayed by the system. 

  • after 3 failed login attempts the user needs to wait 30 seconds before trying to login again.
  • after 5 failed login attempts it's 60 seconds.
  • after 10 failed login attempts it's 90 seconds.

After 24 hours the limit is reset.

Storefront view

Configuration

In all new Shopware projects, there is only one lock.yaml file under config/packages/ in the installation. This can also be the case if you have carried out an update and the .yaml files under config/packages/ were not adjusted in the past.

If this is the case for you, you must create a new shopware.yaml file and insert the adjustments here!

There is no configuration located in the admin, to makes changes you need to copy the following file core /framework/resources/config/packages/shopware.yaml to your shop root directory unter config/packages/shopware.yaml, now you can edit the file in order to activate/deactivate a function.

  • login: Storefront login for registered customers.
  • guest_login: Storefront login for guest customers.
  • oauth: Admin area login.
  • reset_password: Storefront cutomer password reset.
  • user_recovery: Admin area password reset.
  • contact_form: Contact form.

You can disable a function by changing the corresponding line from enabled: true to enabled: false.

You can find the configuration in the shopware.yaml, this is what it looks like.

After the adjustment, php bin/console cache:clear must be executed in the console for the changes to take effect.

shopware:
    api:
       rate_limiter:
            login:
                enabled: true
                policy: 'time_backoff'
                reset: '24 hours' # reset limit after this time if no more requests failed
                limits:
                    - limit: 10
                      interval: '10 seconds'
                    - limit: 15
                      interval: '30 seconds'
                    - limit: 20
                      interval: '60 seconds'
            guest_login:
                enabled: true
                policy: 'time_backoff'
                reset: '24 hours'
                limits:
                    - limit: 10
                      interval: '10 seconds'
                    - limit: 15
                      interval: '30 seconds'
                    - limit: 20
                      interval: '60 seconds'
            oauth:
                enabled: true
                policy: 'time_backoff'
                reset: '24 hours'
                limits:
                    - limit: 10
                      interval: '10 seconds'
                    - limit: 15
                      interval: '30 seconds'
                    - limit: 20
                      interval: '60 seconds'
            reset_password:
                enabled: true
                policy: 'time_backoff'
                reset: '24 hours'
                limits:
                    - limit: 3
                      interval: '30 seconds'
                    - limit: 5
                      interval: '60 seconds'
                    - limit: 10
                      interval: '90 seconds'
            user_recovery:
                enabled: true
                policy: 'time_backoff'
                reset: '24 hours'
                limits:
                    - limit: 3
                      interval: '30 seconds'
                    - limit: 5
                      interval: '60 seconds'
                    - limit: 10
                      interval: '90 seconds'
            contact_form:
                enabled: true
                policy: 'time_backoff'
                reset: '24 hours'
                limits:
                    - limit: 3
                      interval: '30 seconds'
                    - limit: 5
                      interval: '60 seconds'
                    - limit: 10
                      interval: '90 seconds'

Was this article helpful?