Looking for advice on how to rate limit login pages based on submitted email.
Presently have a basic rule for (http.request.uri.path contains “sign-in”) that will trigger at 10 requests in 5 minutes and block for 1 hour duration.
I’d like to add an additional rule that is more restrictive if the user does this using the same email each time. So, block by IP if the sign-in page is hit too often, be more restrictive if the user submits the same email each time. Any thoughts on how to approach this?