LukaszD.07342 (Customer) asked a question.
Hello,
We do have a login page on https://login.mypage.eu/. It is directly accessible.
We investigate a way to make it not possible to reach that page directly. This is a follow up after some incident which happened when we noticed unusual traffic to that page. Someone made credential stuffing attempt to https://login.mypage.eu/ and was able to run a number of tries with some most likely stolen data to gain access to our system.
One of the way we consider is to block direct access to https://login.mypage.eu/ so it will be slightly more difficult to run automation on that login page.
In order to do that, we want to add referrer and token to the call from our webpage mypage.* so custom javascript on https://login.mypage.eu/ can check the referrer and send the token back to our backend for verification. Once verified, it will stay on https://login.mypage.eu/, otherwise will be redirected back to mypage.*.
Is it a good practice, or do you have any other recommended way of doing that?
Below you can find the diagram which pictures the approach we are currently considering:
BR
LD
Hello @LukaszD.07342 (Customer) Thank you for posting on our Community page!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work).
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.