Rate limiting rules
Rate limiting rules allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.
Like other rules evaluated by Cloudflare’s Ruleset Engine, rate limiting rules have the following basic parameters:
- An expression that specifies the criteria you are matching traffic on using the Rules language.
- An action that specifies what to perform when there is a match for the rule and any additional conditions are met. In the case of rate limiting rules, the action occurs when the rate reaches the specified limit.
Besides these two parameters, rate limiting rules require the following additional parameters:
- Characteristics: The set of parameters that define how Cloudflare tracks the rate for this rule.
- Period: The period of time to consider (in seconds) when evaluating the rate.
- Requests per period: The number of requests over the period of time that will trigger the rate limiting rule.
- Duration (or mitigation timeout): Once the rate is reached, the rate limiting rule blocks further requests for the period of time defined in this field.
- Action behavior: By default, Cloudflare will apply the rule action for the configured duration (or mitigation timeout), regardless of the request rate during this period. Some Enterprise customers can configure the rule to throttle requests over the maximum rate, allowing incoming requests when the rate is lower than the configured limit.
Refer to Rate limiting parameters for more information on mandatory and optional parameters.
Refer to How Cloudflare determines the request rate to learn how Cloudflare uses the parameters above when determining the rate of incoming requests.
-
Rate limiting rules are evaluated in order, and some actions like Block will stop the evaluation of other rules. For more details on actions and their behavior, refer to the actions reference.
-
Rate limiting rules are not designed to allow a precise number of requests to reach the origin server. In some situations, there may be a delay (up to a few seconds) between detecting a request and updating internal counters. Due to this delay, excess requests could still reach the origin server before Cloudflare enforces a mitigation action (such as blocking or challenging) in our global network.
-
Applying rate limiting rules to verified bots might affect Search Engine Optimization (SEO). For more information, refer to Improve SEO.
| Feature | Free | Pro | Business | Enterprise with app security | Enterprise with Advanced Rate Limiting |
|---|---|---|---|---|---|
| Available fields in rule expression | Path, Verified Bot | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | Standard fields, request header fields, dynamic fields (including Verified Bot), other Bot Management fields1 | Standard fields, request header fields, dynamic fields (including Verified Bot), other Bot Management fields1, request body fields2 |
| Counting characteristics | IP | IP | IP | IP, IP with NAT support | IP, IP with NAT support, Query, Host, Headers, Cookie, ASN, Country, Path, JA3/JA4 Fingerprint1, JSON field value2, Body2, Form input value2, Custom |
| Available fields in counting expression | N/A | N/A | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers |
| Counting model | Number of requests | Number of requests | Number of requests | Number of requests | Number of requests, complexity score |
| Rate limiting action behavior | Perform action during mitigation period | Perform action during mitigation period | Perform action during mitigation period | Perform action during mitigation period, Throttle requests above rate with block action | Perform action during mitigation period, Throttle requests above rate with block action |
| Counting periods | 10 s | 10 s, 1 min | 10 s, 1 min, 10 min | 10 s, 1 min, 2 min, 5 min, 10 min | 10 s, 1 min, 2 min, 5 min, 10 min, 1 h |
| Mitigation timeout periods | 10 s | 10 s, 1 min, 1 h | 10 s, 1 min, 1 h, 1 day | 10 s, 1 min, 2 min, 5 min, 10 min, 1 h, 1 day3 | 10 s, 1 min, 2 min, 5 min, 10 min, 1 h, 1 day3 |
| Number of rules | 1 | 2 | 5 | 5 or more4 | 100 |
1 Only available to Enterprise customers who have purchased Bot
Management.
2 Availability depends on your WAF plan.
3 Enterprise customers can specify a custom mitigation
timeout period via API.
4 Enterprise customers must have application security on
their contract to get access to rate limiting rules. The number of rules depends
on the exact contract terms.
Refer to the following resources:
- Create a rate limiting rule in the dashboard for a zone
- Create a rate limiting rule via API for a zone
-
Rate limiting rulesets: Some Enterprise customers can create rate limiting rulesets at the account level that they can deploy to multiple Enterprise zones.
-
Cloudflare Rate Limiting (previous version, now deprecated): Documentation for the previous version of rate limiting rules (billed based on usage).