Django-ratelimit-backend¶
Django-ratelimit-backend is an app that allows rate-limiting of login attempts at the authentication backend level. Login attempts are stored in the cache so you need a properly configured cache setup.
By default, it blocks any IP that has more than 30 failed login attempts in the past 5 minutes. The IP can still browse your site, only login attempts are blocked.
Note
If you use a custom authentication backend, there is an additional configuration step. Check the custom backends section.
Get involved, submit issues and pull requests on the code repository!
Changes¶
2.0 (2018-08-27):
- Add support for Django 2.0 and 2.1, and drop support for Django < 1.11.
1.2 (2017-09-13):
- Add
no_username
attribute on authentication backend for token-based authentication (Jody McIntyre). - Fix Travis build for Python 3.3 (Jody McIntyre).
- Add
1.1.1 (2017-03-30):
- Run tests on Python 3.6.
- Run without warnings on supported Django versions.
1.1 (2017-03-16):
- Exclude tests from being installed from the wheel file.
- Add support for Django 1.10 and 1.11.
1.0 (2015-07-10):
- Silence warnings with Django 1.8.
0.6.4 (2015-03-31):
- Only set the redirect field to the value of
request.get_full_path()
if the field does not already have a value. Patch by Michael Blatherwick.
- Only set the redirect field to the value of
0.6.3 (2015-02-12):
- Add
RatelimitMixin.get_ip
.
- Add
0.6.2 (2014-07-28):
- Django 1.7 support. Patch by Mathieu Agopian.
0.6.1 (2014-01-21):
- Removed calls to deprecated
check_test_cookie()
.
- Removed calls to deprecated
0.6 (2013-04-18):
The
RatelimitBackend
now allows arbitrarykwargs
for authentication, not justusername
andpassword
. Patch by Trey Hunner.0.5 (2013-02-14):
- Python 3 compatibility.
- The backend now issues a warning (
warnings.warn()
) instead of a logging call when no request is passed to the backend. This is because such cases are developer errors so a warning is more appropriate.
0.4 (2013-01-20):
- Automatically re-register models which have been registered in Django’s default admin site instance. There is no need to register 3rd-party models anymore.
- Fixed a couple of deprecation warnings.
0.3 (2012-11-22):
- Removed the part where the admin login form looked up a User object when an email was used to login. This brings support for Django 1.5’s swappable user models.
0.2 (2012-07-31):
- Added a logging call when a user reaches its rate-limit.
0.1:
- Initial version.