Cloudflare Docs
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Create rate limiting rules in the dashboard for an account

At the account level, you must first create a custom rate limiting ruleset, containing one or more rate limiting rules, and then deploy it to one or more zones on an Enterprise plan.

Both operations are available in the dashboard in Account Home > Application Security > WAF > Rate limiting rulesets.

​​ 1. Create a custom rate limiting ruleset

To create a new custom rate limiting ruleset:

  1. Log in to the Cloudflare dashboard, and select your account.

  2. Navigate to Account Home > Application Security > WAF > Rate limiting rulesets.

  3. Under Your custom rulesets, select Create new ruleset.

  4. Enter a name for the ruleset and (optionally) a description.

  5. In the ruleset creation page, select Create rule.

  6. In the rule creation page, enter a descriptive name for the rule in Rule name.

    Create rate limiting rule at the account level in the Cloudflare dashboard

  7. Under When incoming requests match, use the Field drop-down list to choose an HTTP property. For each request, the value of the property you choose for Field is compared to the value you specify for Value using the operator selected in Operator.

  8. Select the rule action from the Choose an action drop-down list. For example, selecting Block tells Cloudflare to refuse requests in the conditions you specified when the request limit is reached.

  9. (Optional) If you selected the Block action, you can configure a custom response for requests exceeding the configured rate limit.

  10. Under For, select the mitigation timeout in Duration. This is the time period during which Cloudflare applies the select action once the rate is reached.

  11. Under When rate exceeds, define the maximum number of requests and the time period to consider when determining the rate.

  12. Under With the same, configure the characteristics that will define the request counters for rate limiting purposes. Each value combination will have its own counter to determine the rate. Refer to Determining the rate for more information.

    The available characteristics depend on your Cloudflare plan and product subscriptions.

  13. (Optional) Under Counter, enable Use custom counting expression to define an expression that specifies the conditions for incrementing the rate counter. By default, the counting expression is the same as the rule expression. The counting expression can include response fields.

  14. (Optional) Under Cache status, disable Also apply rate limiting to cached assets to consider only the requests that reach the origin when determining the rate.

  15. Select Add rule.

  16. Create additional rate limiting rules as needed, and then select Create to create the ruleset.

​​ 2. Deploy the custom rate limiting ruleset

To deploy a custom rate limiting ruleset to one or more zones on an Enterprise plan:

  1. Log in to the Cloudflare dashboard, and select your account.

  2. Navigate to Account Home > Application Security > WAF > Rate limiting rulesets.

  3. Under Your custom rulesets and next to the rate limiting ruleset you wish to deploy, select Deploy.

  4. In the ruleset deployment page, enter a descriptive name for the rule deploying the ruleset in Execution name.

  5. Under Execution scope, review the scope of the rate limiting ruleset to deploy. If necessary, select Edit scope and configure the expression that will determine the scope of the current rule.

  6. To deploy your rule immediately, select Deploy. If you are not ready to deploy your rule, select Save as draft.

The Rate limiting rulesets list will show a rule for each deployed custom rate limiting ruleset.

​​ Configuring a custom response for blocked requests

When you select the Block action in a rule you can optionally define a custom response.

The custom response has three settings:

  • Response type: Choose a content type or the default block response from the list. The available custom response types are the following:

    Dashboard valueAPI value
    Custom HTML"text/html"
    Custom Text"text/plain"
    Custom JSON"application/json"
    Custom XML"text/xml"
  • Response code: Choose an HTTP status code for the response, in the range 400-499. The default response code is 403.

  • Response body: The body of the response. Configure a valid body according to the response type you selected.