[mro_name]

I think about rate-limiting from an unprivileged user perspective and saw it first at https://github.com/sebsauvage/Shaarli/blob/master/index.php#.... So e.g. fail2ban is not an option. And the application has to deal with it.

I care more about load/DOS than actual crack success. What means the firewall is the sensible place. Not the application.

Or just take the risk, make backup/restore simple and do intrusion detection by monitoring a dedicated endpoint with e.g. https://updown.io/44q5 and let things happen for the sake of simplicity.

Hm. (I'm doing a federated, single-user microblog engine targeting laypersons. A proof of concept is at https://codeberg.org/mro/ShaarliGo)