Does not return 401 Unauthorized HTTP error code when wrong auth credentials are used #10632
mysticaltech
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I would have expected that upon the submission of wrong credentials, a 401 Unauthorized HTTP error code would be emitted, but that is not the case, the login fails with an HTTP 200 OK.
This makes it hard to mitigate brute-force attacks with a tool like fail2ban, as there is not differentiators in the logs.
Expected results
Return a HTTP 401 Unauthorized error code when wrong credentials are submitted
Actual results
what actually happens.
Screenshots
If applicable, add screenshots to help explain your problem.
How to reproduce the bug
less +F access.logEnvironment
superset 0.36.0Beta Was this translation helpful? Give feedback.
All reactions