Cloudflare Docs
WAF
Edit this page on GitHub
Set theme to dark (⇧+D)

Rate limiting rule examples

The examples below include sample rate limiting rule configurations.

​​ Example 1

The following rule performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.

Expression:
(http.request.uri.path eq "/login" and ip.geoip.country eq "US" and ip.src ne 192.0.0.1)

Rule characteristics:

  • Data center ID (included by default when creating the rule in the dashboard)
  • IP Address

​​ Example 2

The following rule performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.

Expression:
(http.request.uri.path contains "/product" and http.request.method eq "POST")

Rule characteristics:

  • Data center ID (included by default when creating the rule in the dashboard)
  • IP Address
  • HTTP Header > x-api-key

​​ Example 3

The following rule performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and User-Agent values.

Expression:
(http.request.uri.path eq "/store" or http.request.uri.path eq "/prices") and (http.host eq "mystore1.com" or http.host eq "mystore2.com") and not cf.client.bot

Rule characteristics:

  • Data center ID (included by default when creating the rule in the dashboard)
  • IP Address
  • HTTP Header > user-agent