[RFC] Security questions

[igormukhingmailcom]

I wasn't right at #25 that csrf protects from brute force attack, so to protect from it, we probably should add some actual protection. Like https://www.google.com/recaptcha/intro/v3.html

From other side, even with captcha protection here, attacker can brute force cart (by checking response for terms that means gift card applied) and we can't add something like captcha to cart.

So, I guess, the only way is:

• Add some min code length rule at configuration and not allow to generate codes with length < 16 chars for example (at the same time, admin created codes allowed to be not long - so admins can create gift cards with codes like "GIFT4BESTCLIENT")

[Roshyo]

A super protection could also be like :
If a user tries x codes (let's say 30) without having a single one working, disable the possibility to add a new one for a defined time. Let's say 1 minute, that is already something huge to protect brute forcing.

Or a slightly easier way would be to put a small usleep(500000); in execution. This way is often recommended for protecting login brute force.