Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend reCAPTCHA protection to operate on the "forgot your password?" page #942

Open
CrispinF opened this issue Jul 2, 2023 · 0 comments
Open

Extend reCAPTCHA protection to operate on the "forgot your password?" page #942

CrispinF opened this issue Jul 2, 2023 · 0 comments
Assignees
@StewartBellamy

Comments

@CrispinF
Copy link
Contributor

CrispinF commented Jul 2, 2023

A recent security test identified that the "forgot your password?" page at /account/forgotpassword can cause large numbers of numbers of emails to be sent to the entered address, if it uses registered user's email.
See https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html which recommends protecting such functionality with rate limiting and CAPTCHA.
I don't think we need to add another option to the reCAPTCHA integration (see https://www.cloudscribe.com/google-recaptcha-integration ) - I suggest if this is automatically configured we apply it to the /account/forgotpassword page.
@StewartBellamy StewartBellamy self-assigned this Sep 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@StewartBellamy StewartBellamy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CrispinF @StewartBellamy