When you're building a login system in Laravel, it's very important to protect it from bots and brute-force attacks. Thankfully, Laravel comes with a built-in throttle middleware that can limit how many times someone can try to log in.

In this blog, we’ll show you how to secure your login form if you’re using Laravel UI authentication — and all it takes is just 2 simple steps.

✅ Step 1: Add Throttle Middleware to Login Route:

By default, Laravel provides login routes through the Auth::routes() method. But to apply rate limiting, we need to override just the POST /login route.

Open your routes/web.php file and do this:

Auth::routes();

// Override only the POST /login route with throttle middleware
Route::post('login', [App\Http\Controllers\Auth\LoginController::class, 'login'])
    ->middleware('throttle:4,1') // Allows 4 attempts per minute
    ->name('login');

This code means a user can try to log in only 4 times every 1 minute. If they exceed this, they’ll get a 429 Too Many Requests error.

✅ Step 2: Create a Custom 429 Error Page:

Let’s make the experience better for users who get blocked. You can show them a countdown and a message instead of the default white error screen.

Create a new file here:

resources/views/errors/429.blade.php

And paste the following code into it:
 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>429 Too Many Requests</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet">
    <style>
        body { background-color: #f8f9fa; }
        .error-container {
            min-height: 100vh; display: flex; flex-direction: column;
            justify-content: center; align-items: center; text-align: center;
        }
        .countdown {
            font-size: 1.5rem; margin-top: 4px; color: #dc3545;
        }
    </style>
</head>
<body>
<div class="container error-container">
    <h1 class="display-1 fw-bold">429</h1>
    <p class="fs-3 mb-0"><span class="text-danger">Oops!</span> Too Many Requests.</p>
    <p>You have made too many requests in a short period of time.</p>
    <div class="countdown" id="countdown">
        Please wait <span id="timer">60</span> seconds before trying again.
    </div>
    <a href="{{ route('login') }}" class="btn btn-primary mt-4">Back to Login</a>
</div>
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js"></script>
<script>
    let seconds = 60;
    const timerElement = document.getElementById('timer');
    const countdown = setInterval(() => {
        seconds--;
        timerElement.textContent = seconds;
        if (seconds <= 0) {
            clearInterval(countdown);
            timerElement.textContent = '0';
        }
    }, 1000);
</script>
</body>
</html>

🎉 That’s It!

Now your Laravel login is secure. If someone tries to brute-force the login, they’ll be blocked after 4 attempts per minute and shown a friendly error page with a countdown.

This method is perfect for developers using the Laravel UI package and looking for a quick and effective solution to protect their apps.