Forum Discussion
AltocumulusBrute force protection for an API endpoint (no login page)?
Hello,
Configuring Brute force protection entails declaring the login page(s).. Is it possible to use this protection on a site where every page is a login page, in a sense? It's an API endpoint and each request includes http authentication header, and can succeed or fail based on the provided credentials.
Can the ASM track failures on such site? Any documentation or clues on how to go about it highly appreciated.
Thanks a lot.
Dario_GarridoNoctilucent
Hello Mohamed.
Actually, you have a default "Brute Force Attack Prevention" profile which applies to all the URLs not manually defined.
"You can add default brute force protection when creating a security policy using the Deployment wizard. If you do, the policy simply needs to know for which login pages to enforce brute force protection. The system creates a default brute force configuration that applies to all defined login URLs that are not associated with any other brute force configuration."
See this path ->
Security > Application Security > Anomaly Detection > Brute Force Attack Prevention
KR,
Dario.
Mohamed_LrhaziThanks KR. Indeed it work fine. Just declare /* as a login page.
- Dario_Garrido
Glad to hear this!
Please, if my answer was helpful, don't forget to mark it as "the best" or give me some upvotes.
KR,
Dario.