# Login Throttling Analyzer

Category Severity Time To Fix
🛡️ Security Major 5 minutes

Class: Enlightn\Enlightn\Analyzers\Security\LoginThrottlingAnalyzer

# Introduction

This analyzer ensures that your application uses login throttling for protection against brute force attacks.

This analyzer searches for usage of throttling middleware (ThrottleRequests or ThrottleRequestsWithRedis classes) or the RateLimiter class. If you have setup login throttling at your web server level or are using your own custom throttling mechanism (not in-built with Laravel), then you may ignore this analyzer.

# How To Throttle Using Nginx

You could setup login throttling at your web server level. To do this in Nginx, here's an example snippet:

http {
    limit_req_zone $binary_remote_addr zone=ratelimitzone:10m rate=15r/m;
    server {
        location /login {
            limit_req zone=ratelimitzone;


If your incoming requests are spread across multiple servers, this won't work as each server will maintain its own count.

# How To Throttle Using Middleware

You may use the ThrottleRequests or ThrottleRequestsWithRedis middleware for your login routes to throttle login requests.

Route::post('/login', [AuthenticatedSessionController::class, 'store'])
    ->middleware(['guest', 'throttle:60,1']);

The login route registered above allows a maximum of 60 login requests per minute.

# How To Throttle Using Rate Limiters

You can also use the RateLimiter facade to customize your throttling logic.

First, register a named rate limiter in the configureRateLimiting method of your application's App\Providers\RouteServiceProvider class:

use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;

 * Configure the rate limiters for the application.
 * @return void
protected function configureRateLimiting()
    RateLimiter::for('login', function (Request $request) {
        return Limit::perMinute(60)->by($request->input('email').'|'.$request->ip());

The login rate limiter above allows a maximum of 60 requests per minute by a combination of email and IP address.

Next, configure the throttling middleware to use the named rate limiter:

Route::post('/login', [AuthenticatedSessionController::class, 'store'])
    ->middleware(['guest', 'throttle:login']);

# Skip Condition

This analyzer is skipped for stateless apps or apps that use Laravel UI or Fortify's in-built login throttling.

# References