+25In recent security audit, one of the concerns was with the FME Server log-in.
As there is no limit on the amount of retries, the login can be brute-forced.
Please add a toggle and a parameter for limited login-retries, just like 'Password Policy' in the system configuration.
Perhaps also adjust the system-event to only trigger after a set number of attempts, and have the IP-address of the source as one of the keys.
Kind regards,
Martin
Seconded. Either block the account after a certain number of retries, or implement progressive rate-limiting after a certain number of failed attempts.
More information: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
This was also one of the major findings in our security audit.
I would love to see such a security measure in one of the next releases.
This is also still a problem for us in June 2026 until we can move to a single-sign on solution. Has there been any progress?
