Skip to main content

Defense-in-depth rate limits

No brute-force vectors on public endpoints.

IP-token-bucket throttles on /auth/login (20/min), /invitations/* (30/min), /auth/password-reset/* (10/min). Inline pruning guarantees bounded memory even under spoofed-XFF attack. Per-account lockout remains as a second line.

Preview
z4j dashboard — Defense-in-depth rate limits
Rate limits Per-IP sliding window buckets /auth/login Limit: 20 / min 18 hits /invitations Limit: 30 / min 4 hits /auth/password-reset Limit: 10 / min 2 hits BLOCKED 103.241.5.82 · /auth/login · 23 attempts in 60s · inline-pruned bucket

Mockup of the dashboard view for this feature. Live-reloading and themed to match your dashboard.

Ships with

  • Per-IP sliding-window buckets
  • Inline prune every 500 hits, no background task needed
  • 120-char IP key cap defeats 10KB XFF memory attack
  • Composes with per-account lockout for layered defense
Related

More capabilities

Unified action surface

One button set. Every engine.

Learn more

Stuck-task reconciliation

Tasks started forever. Fixed, automatically.

Learn more

Historical trends

Success rate, failure rate, throughput over time.

Learn more

Ready to try z4j?

Install z4j Feature docs