Cloudflare Docs
Visit WAF on GitHub
Set theme to dark (⇧+D)

Rate limiting rules

Rate limiting rules allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached.

​​ Rule parameters

Like other rules evaluated by Cloudflare’s Ruleset Engine, rate limiting rules have an associated expression and an action.

The expression specifies the criteria you are matching traffic on using the Rules language. The action specifies what to perform when there is a match for the rule and any additional conditions are met. In the case of rate limiting rules, the action occurs when the rate reaches the specified limit.

Besides these two parameters, rate limiting rules require the following additional parameters:

  • Characteristics — The set of parameters that define how Cloudflare tracks the rate for this rule.
  • Period — The period of time to consider (in seconds) when evaluating the rate.
  • Requests per period — The number of requests over the period of time that will trigger the rate limiting rule.
  • Mitigation timeout — Once the rate is reached, the rate limiting rule blocks further requests for the period of time defined in this field.

Refer to Rate limiting parameters for more information on mandatory and optional parameters.

Refer to Determining the rate to learn how Cloudflare uses the parameters above when determining the rate of incoming requests.

​​ Important remarks

Applying rate limiting rules to verified bots might affect Search Engine Optimization (SEO). For more information, refer to Improve SEO.

​​ Availability

Rate limiting rules are available to Enterprise customers. The available features depend on the exact plan:

FeatureEnterpriseEnterprise Advanced
Available fields
in rule expression
URL, Method, Headers, Source IPStandard fields, body fields, dynamic fields (including Bot Management fields*)
Counting characteristicsIPIP, IP with NAT support, Query, Headers, Cookie, ASN, Country, JA3 Fingerprint*
Available fields
in counting expression
URL, Method, Request headers, Source IP, Response code, Response headersURL, Method, Request headers, Source IP, Response code, Response headers
Counting modelNumber of requestsNumber of requests
Complexity score
Maximum sampling period10 minutes1 hour

* Only available to Enterprise customers who have purchased Bot Management.

​​ Next steps

To configure rate limiting rules in the Cloudflare dashboard, go to Security > WAF > Rate limiting rules. For more information, refer to Create rate limiting rules in the dashboard.

You can also configure rate limiting rules using the Rulesets API. Refer to Create rate limiting rules via API for more information.