Skip to content
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Rate limiting parameters

The available Rate Limiting rule parameters are the following:

  • expression String

    • Expression you are matching traffic on.
  • action String

    • Action to perform when the request rate specified in the rule is reached.
    • Use one of the following values: block, challenge, js_challenge, or log.
  • characteristics Array<String>

    • Set of parameters defining how Cloudflare tracks the request rate for the rule.
    • Use one or more of the following characteristics:
      • cf.colo.id (mandatory in the API; implicitly included when using the dashboard)
      • ip.src
      • ip.geoip.country
      • ip.geoip.asnum
      • http.request.headers["<header_name>"]
  • period Number

    • The period of time to consider (in seconds) when evaluating the request rate.
    • Use one of the following values: 10, 60 (one minute), 600 (ten minutes), or 3600 (one hour).
  • requests_per_period Number

    • The number of requests over the period of time that will trigger the rule.
  • mitigation_timeout Number

    • Once the request rate is reached, the Rate Limiting rule blocks further requests for the period of time defined in this field (in seconds).
    • Use one of the following values: 10, 60 (one minute), 600 (ten minutes), 3600 (one hour), or 86400 (one day).
    • The value must be 0 when action is challenge or js_challenge.
  • mitigation_expression String optional

    • Scope of the mitigation action. Currently, this field is only available via API.
    • Allows you to specify an action scope different from the rule scope. For example, you can count login attempts at the /login URI path using the expression field and then perform rate limiting on the entire site using the mitigation_expression field.
    • The default value is "" (empty string). When set to the default value, Cloudflare uses the value of the expression field as the mitigation expression.
    • The value must be the same as the expression value or "" when action is challenge or js_challenge.