I want to do something to prevent the “raw force attacks”. MY IDEA:
Write a policy that always checks the time of the last login attempt (of course with the same username or e-mail). If the time between two experiments is less than 2 seconds, the login attempt should be invalid.
To avoid bruteforces, bots and so on, I would recommend to use Cloudflare or something similar. Since this limits the requests on the network side and not in the app. Creating policies for bruteforces in the app will anyway use your resources (cpu/ram).
It’s very simple, instead of routing your domain directly to the hosting provider, you now should point it to cloudflare NS servers, and in cloudflare you specify the IP of your server’s IP. So it will be between your domain and server. That way you are adding an extra layer of protection.