As soon as your web application gains any kind of traction you will become the target for brute force attacks.

Whilst an all out attack is very difficult to fight against, there are certain things you can you put in place to try to thwart brute force attacks.

In today’s tutorial I will walk you through setting up my preferred method for throttling brute force attacks in Laravel applications.

An overview of the solution

Before we get into the code, first we will look at the problem we face and what we can do to mitigate against it.

A brute force attack is where your application will receive a flood of authentication requests to try and gain access.

These requests will usually span across multiple credentials and multiple ip addresses.

If you don’t take measures to stop these brute force attempts, your application is open to attack.

In order to protect ourselves we need to record the failed authentication attempts for all user credentials.

If the number of failed authentication attempts is higher than it should be (based on historical data for this particular application) we can take measures to slow the requests down.

This might involve introducing a delay so the requests are reduced, or requiring the requester to provide the answer to a captcha form or similar test.

So now that we have that clear, lets look at what we need to do to add this protection to our application.

Creating the database table

We are going to need to record all of the failed authentication attempts for the application and so we will need a database table to store the data.