Rate limiting rules
Rate limiting rules allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.
- An that specifies the criteria you are matching traffic on using the .
- An that specifies what to perform when there is a match for the rule and any additional conditions are met. In the case of rate limiting rules, the action occurs when the rate reaches the specified limit.
Besides these two parameters, rate limiting rules require the following additional parameters:
- Characteristics: The set of parameters that define how Cloudflare tracks the rate for this rule.
- Period: The period of time to consider (in seconds) when evaluating the rate.
- Requests per period: The number of requests over the period of time that will trigger the rate limiting rule.
- Duration (or mitigation timeout): Once the rate is reached, the rate limiting rule blocks further requests for the period of time defined in this field.
- Action behavior: By default, Cloudflare will apply the rule action for the configured duration (or mitigation timeout), regardless of the request rate during this period. Some Enterprise customers can configure the rule to over the maximum rate, allowing incoming requests when the rate is lower than the configured limit.
Rate limiting rules are not designed to allow a precise number of requests to reach the origin server. In some situations, there may be a delay (up to a few seconds) between detecting a request and updating internal counters. Due to this delay, excess requests could still reach the origin server before Cloudflare enforces a mitigation action (such as blocking or challenging) in our global network.
The rule quota and the available features depend on your Cloudflare plan.
You can configure rate limiting rules at the zone level and at the account level, depending on your plan and product subscriptions.
To configure rate limiting rules in the Cloudflare dashboard, refer to the following resources: