How to Secure Login APIs: Prevent Brute‑Force, CAPTCHA, IP Blocking, and MITM Attacks
This article explains common security risks of login interfaces such as brute‑force attacks, CAPTCHA bypass, IP‑based rate limiting, mobile verification, and man‑in‑the‑middle threats, and provides practical mitigation techniques including code examples, HTTPS adoption, and additional hardening measures.
01 Introduction
When learning web backend development, many implement login functionality without considering security.
02 Security Risks
Brute‑Force Attack
Publicly exposed sites are vulnerable to password‑guessing attacks. Example pseudocode:
# password dictionary
password_dict = []
# login interface
login_url = ''
def attack(username):
for password in password_dict:
data = {'username': username, 'password': password}
content = requests.post(login_url, data).content.decode('utf-8')
if 'login success' in content:
print('got it! password is : %s' % password)How to mitigate?
CAPTCHA
After a certain number of failed attempts, require a CAPTCHA (or sliding verification). Example:
fail_count = get_from_redis(fail_username)
if fail_count >= 3:
if captcha is None:
return error('需要验证码')
check_captcha(captcha)
success = do_login(username, password)
if not success:
set_redis(fail_username, fail_count + 1)Note: concurrency not handled; consider locking.
Login Limiting
Lock the account after many failures (e.g., 10 attempts) for a period.
fail_count = get_from_redis(fail_username)
locked = get_from_redis(lock_username)
if locked:
return error('拒绝登录')
if fail_count >= 3:
# captcha logic...
if fail_count + 1 >= 10:
set_redis(lock_username, true, 300) # lock for 5 minutesBeware of lock‑out attacks that target many usernames.
IP Limiting
Block an IP after a threshold of failed logins.
ip = request['IP']
fail_count = get_from_redis(fail_ip)
if fail_count > 10:
return error('拒绝登录')
set_redis(fail_ip, true, 300)Issues: shared IPs, VPN evasion.
Mobile Verification
Combine CAPTCHA with SMS/phone verification for stronger protection.
After >3 failures, require CAPTCHA (prefer sliding).
After >10 failures, require phone code plus password.
Man‑in‑the‑Middle (MITM) Attack
Attackers can sniff login requests and steal credentials. Use HTTPS to encrypt traffic.
HTTPS
HTTPS adds SSL/TLS for confidentiality, integrity, and authentication.
Content encryption
Data integrity
Identity verification
Additional measures: encrypt username with asymmetric crypto, hash passwords (e.g., MD5) before transmission.
03 Other Recommendations
Operation logs for each login.
Abnormal login alerts.
Reject weak passwords.
Prevent username enumeration.
04 Postscript
Regulations increasingly protect user data; developers should continuously improve data‑security practices.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Top Architect
Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.