mujx
commented
2 months ago This was left out by design because the service is meant to be behind some kind of http proxy that will handle those things.
For example this can be achieved easily with nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/
Right now accounts can be bruteforced, there should be a limit to the number of failed attempts.