Create a rate limiting rule in the dashboard for a zone
Go to Security > WAF > Rate limiting rules.
Select Create rule.
Enter a descriptive name for the rule in Rule name.
Under If incoming requests match, use the Field drop-down list to choose an HTTP property. For each request, the value of the property you choose for Field is compared to the value you specify for Value using the operator selected in Operator.
(Optional) Under Cache status, disable Also apply rate limiting to cached assets to consider only the requests that reach the origin when determining the rate.
Under With the same characteristics, add one or more characteristics that will define the request counters for rate limiting purposes. Each value combination will have its own counter to determine the rate. Refer to for more information.
(Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable Use custom counting expression and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include .
Under When rate exceeds, define the maximum number of requests and the time period to consider when determining the rate.
Under Then take action, select the rule action from the Choose action drop-down list. For example, selecting Block tells Cloudflare to refuse requests in the conditions you specified when the request limit is reached.
Select the mitigation timeout in the Duration dropdown. This is the time period during which Cloudflare applies the select action once the rate is reached.
Enterprise customers with a paid add-on can instead of applying the configured action for a selected duration. To throttle requests, under With the following behavior select Throttle requests over the maximum configured rate.
To save and deploy your rule, select Deploy. If you are not ready to deploy your rule, select Save as Draft.
Configuring a custom response for blocked requests
When you select the Block action in a rule you can optionally define a custom response.
The custom response has three settings:
With response type: Choose a content type or the default rate limiting response from the list. The available custom response types are the following:
Dashboard value API value Custom HTML
With response code: Choose an HTTP status code for the response, in the range 400-499. The default response code is 429.
Response body: The body of the response. Configure a valid body according to the response type you selected. The maximum field size is 2 KB.