Use Custom rules to allow you to control incoming traffic by filtering requests to a zone. They work as customized web application firewall (WAF) rules that you can use to perform actions like Block or Managed Challenge on incoming requests.

Use WAF Managed Rules to apply custom criteria for all incoming HTTP requests.

Understand hosting plan limits

Cloudflare offsets most of the load to your website via caching and request filtering, but some traffic will still pass through to your origin. Knowing the limits of your hosting plan can help prevent a bottleneck from your host.

Once you are aware of your plan limits, you can use Rate Limiting to restrict how many times a requesting entity can make a request to your website.

To help you define the best rate limiting setting for your use case, refer to How Cloudflare determines the request rate.

Security models

Positive Security policy: Allow specific requests and deny everything else.

Negative Security policy: Block specific requests and allow everything else.

