Hello,
We do have a login page on login.mypage.eu/. It is directly accessible.
We investigate a way to make it not possible to reach that page directly. This is a follow up after some incident which happened when we noticed unusual traffic to that page. Someone made credential stuffing attempt to login.mypage.eu/ and was able to run a number of tries with some most likely stolen data to gain access to our system.
One of the way we consider is to block direct access to login.mypage.eu/ so it will be slightly more difficult to run automation on that login page.
In order to do that, we want to add referrer and token to the call from our webpage mypage.* so custom javascript on login.mypage.eu/ can check the referrer and send the token back to our backend for verification. Once verified, it will stay on login.mypage.eu/, otherwise will be redirected back to mypage.*.
Is it a good practice, or do you have any other recommended way of doing that?