Roshyo
commented
4 years ago A super protection could also be like : If a user tries x codes (let's say 30) without having a single one working, disable the possibility to add a new one for a defined time. Let's say 1 minute, that is already something huge to protect brute forcing.
Or a slightly easier way would be to put a small usleep(500000); in execution. This way is often recommended for protecting login brute force.
I wasn't right at https://github.com/Setono/SyliusGiftCardPlugin/issues/25 that csrf protects from brute force attack, so to protect from it, we probably should add some actual protection. Like https://www.google.com/recaptcha/intro/v3.html
From other side, even with captcha protection here, attacker can brute force cart (by checking response for terms that means gift card applied) and we can't add something like captcha to cart.
So, I guess, the only way is: