Rate limiting rules
Rate limiting rules allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.
Like other rules evaluated by Cloudflare’s Ruleset Engine, rate limiting rules have an associated expression and an action.
The expression specifies the criteria you are matching traffic on using the Rules language. The action specifies what to perform when there is a match for the rule and any additional conditions are met. In the case of rate limiting rules, the action occurs when the rate reaches the specified limit.
Besides these two parameters, rate limiting rules require the following additional parameters:
- Characteristics — The set of parameters that define how Cloudflare tracks the rate for this rule.
- Period — The period of time to consider (in seconds) when evaluating the rate.
- Requests per period — The number of requests over the period of time that will trigger the rate limiting rule.
- Mitigation timeout — Once the rate is reached, the rate limiting rule blocks further requests for the period of time defined in this field.
Refer to Rate limiting parameters for more information on mandatory and optional parameters.
Refer to Determining the rate to learn how Cloudflare uses the parameters above when determining the rate of incoming requests.
Applying rate limiting rules to verified bots might affect Search Engine Optimization (SEO). For more information, refer to Improve SEO.
Rate limiting rules are available to all customers. The available features depend on the exact plan:
|Feature||Free||Pro||Business or Enterprise1||Enterprise with WAF Essential||Enterprise with Advanced Rate Limiting|
in rule expression
|Path, Verified Bot||Host, URI, Path, Full URI, Query, Verified Bot||Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot||Standard fields, dynamic fields (including Verified Bot), other Bot Management fields2||Standard fields, dynamic fields (including Verified Bot), other Bot Management fields2, request body fields3|
|Counting characteristics||IP||IP||IP||IP, IP with NAT support||IP, IP with NAT support, Query, Host, Headers, Cookie, ASN, Country, Path, JA3 Fingerprint2, JSON body field3, Body3|
in counting expression
|N/A||N/A||All rule expression fields, Response code, Response headers||All rule expression fields, Response code, Response headers||All rule expression fields, Response code, Response headers|
|Counting model||Number of requests||Number of requests||Number of requests||Number of requests||Number of requests,|
|Counting periods||10 s||10 s, 1 min||10 s, 1 min, 10 min||10 s, 1 min, 2 min, 5 min, 10 min||10 s, 1 min, 2 min, 5 min, 10 min, 1 h|
|Timeout periods||10 s||10 s, 1 min, 1 h||10 s, 1 min, 1 h, 1 day||10 s, 1 min, 2 min, 5 min, 10 min, 1 h, 1 day||10 s, 1 min, 2 min, 5 min, 10 min, 1 h, 1 day|
|Number of rules||1||2||5||100||100|
1 Enterprise plans with no additional subscriptions.
2 Only available to Enterprise customers who have purchased Bot Management.
3 Availability depends on your WAF plan.
For availability information related to the previous version of rate limiting rules, refer to Rate Liming allowances per plan.
You can configure rate limiting rules at the zone level and at the account level, depending on your plan and product subscriptions.
To configure rate limiting rules in the Cloudflare dashboard, refer to the following resources:
- Create rate limiting rules in the dashboard for a zone
- Create rate limiting rules in the dashboard for an account
You can also configure rate limiting rules using the Rulesets API. Refer to Create rate limiting rules via API for more information.