[[Rules]]
# Global unauthenticated ratelimit.
match = ""
seconds = 60
max = 30

[[Rules]]
# Unauthenticated DOOT for server monitoring.
match = "GET:/v1/doot"
seconds = 5
max = 5

[[Rules]]
# Prevent bruteforce attacks on Login.
match = "POST:/v1/login"
seconds = 60
max = 3

[[Rules]]
# Prevent bruteforce attacks on Admin Login.
match = "POST:/v1/admin"
seconds = 60
max = 1

[[Rules]]
# Prevent spam account creation.
match = "GET:/v1/adm/2fa-doot"
seconds = 1800
max = 1

[[Rules]]
# Slow down 'forgot password' enumeration/spam.
match = "POST:/v1/forgot"
seconds = 60
max = 1