BestHub
Sign in
Information Security 10 min read

How to Secure Login APIs: Prevent Brute‑Force, MITM, and Other Attacks

This article explains common security risks in login interfaces—such as brute‑force attacks, MITM interception, and credential enumeration—and provides practical defenses including captcha, rate limiting, IP blocking, mobile verification, HTTPS encryption, and additional logging measures.

Java Architect Essentials
Java Architect Essentials
Java Architect Essentials
How to Secure Login APIs: Prevent Brute‑Force, MITM, and Other Attacks

01 Preface

When learning web backend development, many start with a simple login feature, but often overlook security considerations.

02 Security Risks

Brute‑Force Attacks

Publicly exposed sites are vulnerable to password‑guessing attacks. Example pseudocode:

# Password dictionary
password_dict = []
# Login URL
login_url = ''
def attack(username):
    for password in password_dict:
        data = {'username': username, 'password': password}
        content = requests.post(login_url, data).content.decode('utf-8')
        if 'login success' in content:
            print('got it! password is : %s' % password)

Mitigation: introduce captcha after several failed attempts.

fail_count = get_from_redis(fail_username)
if fail_count >= 3:
    if captcha is None:
        return error('需要验证码')
    check_captcha(captcha)
success = do_login(username, password)
if not success:
    set_redis(fail_username, fail_count + 1)

Note: concurrency should be handled with locking.

Login Rate Limiting

Lock an account after many failed attempts and release after a cooldown period.

fail_count = get_from_redis(fail_username)
locked = get_from_redis(lock_username)
if locked:
    return error('拒绝登录')
if fail_count >= 3:
    if captcha is None:
        return error('需要验证码')
    check_captcha(captcha)
success = do_login(username, password)
if not success:
    set_redis(fail_username, fail_count + 1)
if fail_count + 1 >= 10:
    set_redis(lock_username, true, 300s)

Be aware that locking by username can be abused to deny service for many users.

IP‑Based Restrictions

Block an IP after a threshold of failed logins.

ip = request['IP']
fail_count = get_from_redis(fail_ip)
if fail_count > 10:
    return error('拒绝登录')
# other logic …
success = do_login(username, password)
if not success:
    set_redis(fail_ip, true, 300s)

IP blocking may affect legitimate users behind shared IPs or VPNs.

Mobile Verification

Combine password attempts with SMS or app‑based verification for stronger protection.

if fail_count > 3:
    require_captcha()
if fail_count > 10:
    require_sms_code()
# validate sms code …

Man‑in‑the‑Middle (MITM) Attacks

Attackers can intercept login requests to steal credentials. Using HTTPS encrypts traffic, providing confidentiality, integrity, and authentication.

Additional Defensive Measures

Record operation logs with IP and device information.

Send alerts for abnormal login activities.

Enforce strong password policies.

Prevent username enumeration.

CaptchaMITMHTTPSIP blockinglogin securityBrute-force protection
Java Architect Essentials
Written by

Java Architect Essentials

Committed to sharing quality articles and tutorials to help Java programmers progress from junior to mid-level to senior architect. We curate high-quality learning resources, interview questions, videos, and projects from across the internet to help you systematically improve your Java architecture skills. Follow and reply '1024' to get Java programming resources. Learn together, grow together.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment