Beware to fall into the trap of outdated docs, false advice and not enabling the appropriate security measures.
AFAIK the a.m. setting ist not part of the more current NC configuration anymore.
‘auth.bruteforce.protection.enabled’ => true,
Did you consult the Brute-force settings App documentation and is this app enabled?
Brute Force Protection is meant to protect Nextcloud servers from attempts to guess user passwords in various ways. Besides the obvious " let’s try a big list of commonly used passwords " attack, it also makes it harder to use slightly more sophisticated attacks via the reset password form or trying to find app password tokens.
If triggered, brute force protection makes requests coming from an IP on a bruteforce protected controller with the same API slower for a 24 hour period.
With this app, the admin can exempt an IP address or range from this protection which can be useful for testing purposes or when there are false positives due to a lot of users on one IP address.
The Brute-force settings app should be included in a more current NC install by default and please consult the NC 16 Docs » Apps management and always ensure to not disable the Brute-force settings app inadvertently.
Furthermore, while addressing Nextcloud 16 development issues one could consult the more current NC 16 Docs » App development » API Documentation » \ » OC » Security » Bruteforce » Throttler details or similar documentation, I presume.
However, your concern is quite correct. Obviously, Nextcloud sometimes appears as if far too lazy in updating their online documentation and this can be quite misleading.
Please find a more current documentation available as:
The outdated Nextcloud online documentation includes but is not limited to:
Last not least the German (DE) community may consider this worth a read:
Again this article links to the a.m. Nextcloud Security Scan page with the outdated NC 13 docs. This is rather unfortunate and may hurt the security awareness of the NC user community, I presume.
NOTE: The URL input field of the Nextcloud Security Scan page is correct and one can get an actual security report as appropriate. However, the line “hardening tips
in our hardening guide” is pointing to outdated content.
Hope this helps.