diff --git a/content/collections/pages/forms.md b/content/collections/pages/forms.md index bef80772f..e710823e2 100644 --- a/content/collections/pages/forms.md +++ b/content/collections/pages/forms.md @@ -585,6 +585,27 @@ You'll also need to set your ajax library's `X-Requested-With` header to `XMLHtt The URL endpoint to send the request to is `/!/forms/{form-handle}`. You can configure the action route prefix which defaults to `!` in `config/statamic/routes.php`. +## Rate limiting + +Form submissions are rate limited by IP address to help protect against abuse. By default, the `statamic.forms` limiter allows 10 submissions per minute across all forms. + +You can customize the limit by redefining the named rate limiter in your `AppServiceProvider`'s `boot` method: + +```php +use Illuminate\Cache\RateLimiting\Limit; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\RateLimiter; + +public function boot() +{ + RateLimiter::for('statamic.forms', function (Request $request) { + return Limit::perMinute(20)->by($request->ip()); + }); +} +``` + +Consult the [Laravel documentation](https://laravel.com/docs/13.x/routing#rate-limiting) to learn more about defining rate limiters. + ## Caching If you are static caching the URL containing a form, return responses like 'success' and 'errors' will not be available after submitting unless you [exclude this page from caching](/static-caching#excluding-pages) or wrap the form in {{ nocache }} tags. diff --git a/content/collections/pages/users.md b/content/collections/pages/users.md index d470f9039..35457a719 100644 --- a/content/collections/pages/users.md +++ b/content/collections/pages/users.md @@ -302,4 +302,34 @@ Click **Create Passkey** and follow the prompts to complete setup. Once a passke Passkey button on sign in page -Passkey behaviour, including whether password logins are still allowed for users with passkeys and whether “remember me” applies when logging in with a passkey, can be configured in `config/statamic/webauthn.php`. \ No newline at end of file +Passkey behaviour, including whether password logins are still allowed for users with passkeys and whether “remember me” applies when logging in with a passkey, can be configured in `config/statamic/webauthn.php`. + +## Rate limiting + +Statamic's authentication and passkey endpoints are rate limited by IP address to help protect against brute force attacks. The defaults apply to both the front-end and Control Panel: + +| Limiter | Default | Routes | +| --- | --- | --- | +| `statamic.auth` | 4 per minute | Front-end login, register, password email, password reset | +| `statamic.cp.auth` | Inherits `statamic.auth` | Control Panel login, password email, password reset | +| `statamic.passkeys` | 30 per minute | Front-end passkey authentication | +| `statamic.cp.passkeys` | Inherits `statamic.passkeys` | Control Panel passkey authentication | + +You can customize any of these limits by redefining the named rate limiter in your `AppServiceProvider`'s `boot` method: + +```php +use Illuminate\Cache\RateLimiting\Limit; +use Illuminate\Http\Request; +use Illuminate\Support\Facades\RateLimiter; + +public function boot() +{ + RateLimiter::for('statamic.auth', function (Request $request) { + return Limit::perMinute(10)->by($request->ip()); + }); +} +``` + +Overriding `statamic.auth` will affect both the front-end and Control Panel buckets unless you also define a separate `statamic.cp.auth` limiter. The same inheritance applies to `statamic.passkeys` and `statamic.cp.passkeys`. + +Consult the [Laravel documentation](https://laravel.com/docs/13.x/routing#rate-limiting) to learn more about defining rate limiters. \ No newline at end of file