Credential-stuffing defense

Dhal can learn from repeated failed login responses and block later attempts from the same identity key.

{
  "rules": {
    "credentialStuffing": {
      "enabled": true,
      "loginPathPatterns": ["/api/login", "/login", "/auth/login"],
      "failureStatusCodes": [400, 401, 403],
      "windowSeconds": 300,
      "maxFailures": 8,
      "keyBy": ["ip", "route"]
    }
  }
}

Response outcome recording

Adapters record response status codes after the response finishes. Repeated failures are stored in a signal store.

Distributed signal store

Use Redis/Valkey for multi-instance production.

import Redis from "ioredis";
import { RedisSignalStore } from "@rokadhq/dhal/stores/redis-signal";

const redis = new Redis(process.env.REDIS_URL);
const signalStore = new RedisSignalStore(redis);

Safer enforcement

Keep global mode monitor and set block only on login routes after reviewing events.

Bot defense Honeypot canaries

⌘I