NoBrute 1.0.0

.NET Core 3.1
There is a newer version of this package available.
See the version list below for details.
NuGet\Install-Package NoBrute -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
dotnet add package NoBrute --version 1.0.0
<PackageReference Include="NoBrute" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add NoBrute --version 1.0.0
#r "nuget: NoBrute, 1.0.0"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package.
// Install NoBrute as a Cake Addin
#addin nuget:?package=NoBrute&version=1.0.0

// Install NoBrute as a Cake Tool
#tool nuget:?package=NoBrute&version=1.0.0

NoBrute (by Malte)

Nuget Downloads

Simple and light bruteforce protection for .NET CORE 3.1+ This Lib will protect defined actions in your controllers in making them inefficient to be bruteforced for simple soulutions. It will append request times in ms if a local cache entry on the server was found for the same request & request name & method and the hit count reaches an defined limit (so called here: greenrequests) in an amount of time.


NoBrute will require at least one IMemoryCache or IDistributedCache to be regisrted in your application. (Since for obvious reasons storing the info the session wont work cause bots will never send coookies along them)


Using the nuget package manager:

Install-Package NoBrute

Using the dotnet cli:

dotnet add package NoBrute

Enable it in your application:

// Startup.cs

 public IServiceProvider ConfigureServices(IServiceCollection services) {
     // Use Memoory Cache:
    // Or an distributed cache (NoBrute will prefer this if both registered)
     services.AddStackExchangeRedisCache(x =>
                x.Configuration = "... ";
            }); // In this case we used for example redis



In order to use NoBrute there is no configuration required. Here is a JSON Example for your "appsettings.json" to configure NoBrute and what default values are used if the entry does not exists in you configuration:

"NoBrute": {
    "Enabled": true,
    "GreenRetries": 10,
    "IncreaseRequestTime": 20,
    "TimeUntilReset": 2,
    "TimeUntilResetUnit": "H",
    "StatusCodesForAutoProcess": [

Configuration Entries and their meanings

Configuration Entry Name Description Default Value Type
Enabled If true the NoBrute Service is enabled true Boolean
GreenRetries If this count of same requests is reached NoBrute will start appending request time by setting the thread to sleep for n ms 10 Integer
IncreaseRequestTime For each request that exceeds the GreenRetries entry number NoBrute will append n ms to the request 20 Integer
TimeUntilReset This in combination with TimeUntilResetUnit will declare the time when the saved request count for a user will be cleared so the user gets normal request times again 2 Integer
TimeUntilResetUnit This is the unit of time used for the value of TimeUntilReset. Possible values: Years = 'y', Days = 'd', Months = 'M', Hours = 'H', Minutes = 'i', Seconds = 's', Miliseconds = 'n' H (Hours) String
StatusCodesForAutoProcess This is for autoprocessing requests. (More details see below "Usage"). You can declare here what status codes of an IHttpAction will removed saved request automatically [ 200 ] Integer[]


The Action Filter Attribute (WebApi or MVC)

To protect an action you can use the "NoBruteAttribute". This is the simnple way.

Name Description
string requestName Gives an fixed name to the incoming request to better identify it. If null, empty nur not given NoBrute will use the RequestPath as name
bool autoProcess Indicated that the requests should be released / cleared when the configurated (See above) HTPPStatusCode is returned by the action. (Default: false)

Generated Name

public IHttpActionResult Login() {

*Generated Name with auto release

public IHttpActionResult Login() {

Fixed Name

public IHttpActionResult Login() {

Fixed Name with auto release

[NoBrute("MyFixedName", true)]
public IHttpActionResult Login() {

The Service

If you have a more complex design to decide when a request should be checked or not you can also use the Service.

Inject Service

private readonly INoBrute nobrute;

public MyController(INoBrute nobrute) {
    this.nobrute = nobrute;

Use it in the method:

public IHttpActionResult MyAction() {
    if (1 > 0)  // or some if else logic
        NoBruteRequestCheck check = this.nobrute.CheckRequest("MyActionRequestName");

        // Some more logic

The "CheckRequest" Method will return an Object of type NoBruteRequestCheck. It will contain the flag "IsGreenRequest" and how much time to append to the request. Also some user infos like IP will be returned.

However you have to call the Thread.Sleep by yourself here. The Service will only release and check requests for you but never sleep the requests like the action attribute.

See more at /src/Domain/INoBrute.cs and /src/Models/NoBruteRequestCheck.cs in the Github Repository.


Feel free to use the issues page for feature reques / bug reports. Also Pull Requests are connected to an issue always welcome.


Version Changes
1.0 Initial Release
Product Versions
.NET net5.0 net5.0-windows net6.0 net6.0-android net6.0-ios net6.0-maccatalyst net6.0-macos net6.0-tvos net6.0-windows
.NET Core netcoreapp3.1
Compatible target framework(s)
Additional computed target framework(s)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
1.2.1 109 4/12/2022
1.2.0 101 2/10/2022
1.1.0 94 2/7/2022
1.0.1 1,691 11/26/2021
1.0.0 244 1/16/2021