In addition to using CSRF tokens for authenticated routes throughout the EngagementHQ platform, we prevent brute-force attacks through the following:
We protect the registration endpoint from replay attacks by applying rate-limiting of 60 requests per IP Address, per processor. At current settings, this means the maximum number of requests allowed per IP is 120 requests. Should we scale up our services the number of requests will increase proportionately but still serves the purpose of preventing the possibility of brute-force attacks.
We protect the login endpoint from brute-force attempts by locking user accounts after 5 failed attempts. Lockouts are for 30 minutes unless manually unlocked by the users.