I agree with those points but I don't think they mean that we shouldn't be promoting that header as a common solution.
> Server bound to an inaccessible network interface
This is a niche use case. Most sites don't have this problem.
> Distributed client-side brute-force attack against login
This is pretty easy to solve by adding checks on your login endpoint. But really you should have more robust solutions against login rate limit whether or not they can be triggered by clients on different sites.
kevincox|1 year ago
> Server bound to an inaccessible network interface
This is a niche use case. Most sites don't have this problem.
> Distributed client-side brute-force attack against login
This is pretty easy to solve by adding checks on your login endpoint. But really you should have more robust solutions against login rate limit whether or not they can be triggered by clients on different sites.