HTTP code 401 on login failure
When purposely causing a login error on Redmine, I can see (using web inspector and/or logfiles) that the HTTP return code is 200, i.e. "everything is ok", for the page that presents the error to the user.
It would be great if Redmine would return a 401 ("Unauthorized", see here: https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_errors).
Indeed, I think a 401 code in the webserver logs has great security value, and makes it easy to integrate with solutions such as Fail2Ban and others.
If this change were made, there should be absolutely no impact on the user.