Cloudflare Docs
Visit Support on GitHub
Set theme to dark (⇧+D)

Troubleshooting Cloudflare Rate Limiting

​​ Overview

A few common Rate Limiting configuration issues prevent proper request matches:

  • Including HTTP or HTTPS protocol schemes in rule patterns (such as*). To restrict rules to match only HTTP or HTTPS traffic, use the schemes array in the request match, e.g. “schemes”: [ “HTTPS” ]
  • Forgetting a trailing slash character (/). Cloudflare Rate Limiting only treats requests for the homepage (such as and as equivalent, but not any other path (such as and To match request paths both with and without the trailing slash, use a wildcard match (such as*
  • Including a query string or anchor (such as or A rule like will match requests for
  • Overriding a rate limit with IP Access Rules.
  • Including a port number (such as The rate limit product doesn’t consider port numbers within rules and this affects the rules. By removing the port number from the URL, the rate limit rule will trigger as expected.

Also, there are a few common errors that prevent configuring Rate Limiting via the Cloudflare API:  

​​ Limitations

Rate Limiting is designed to limit surges in traffic that exceed a user-defined rate. The system is not designed to allow a precise number of requests to reach the origin server. There might be cases where a delay is introduced between detecting the request and updating the internal counter. Because of this delay (which can be up to a few seconds), excess requests could still reach the origin before an action is enforced at the edge (such as blocking or challenging).