Rate limiting rule examples

The examples below include sample rate limiting rule configurations.

Example 1

The following rate limiting rule performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.

When incoming requests match:

Field	Operator	Value
URI Path	equals	/login	And
Country	equals	United States	And
IP Source Address	does not equal	192.0.0.1

If you are using the Expression Editor:
(http.request.uri.path eq "/login" and ip.src.country eq "US" and ip.src ne 192.0.0.1)

With the same characteristics:

• IP
• Data center ID (included by default in the dashboard, but not shown)

Example 2

The following rate limiting rule performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.

When incoming requests match:

Field	Operator	Value
URI Path	contains	/product	And
Request Method	equals	POST

If you are using the Expression Editor:
(http.request.uri.path contains "/product" and http.request.method eq "POST")

With the same characteristics:

• IP
• Header value of > x-api-key
• Data center ID (included by default in the dashboard, but not shown)

Example 3

The following rate limiting rule performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and User-Agent values.

When incoming requests match:

(http.request.uri.path eq "/store" or http.request.uri.path eq "/prices") and (http.host eq "mystore1.com" or http.host eq "mystore2.com") and not cf.client.bot

With the same characteristics:

• IP
• Header value of > user-agent
• Data center ID (included by default in the dashboard, but not shown)

Example 4

Note

Complexity-based rate limiting is only available to Enterprise customers with Advanced Rate Limiting.

The following rate limiting rule performs complexity-based rate limiting. The rule takes into account the my-score HTTP response header provided by the origin server to calculate a total complexity score for the client with the provided API key.

The counter with the total score is updated when there is a match for the rate limiting rule's counting expression (in this case, the same as the rule expression since a counting expression was not provided). When this total score becomes larger than 400 during a period of one minute, any later client requests will be blocked for a period of 10 minutes.

When incoming requests match:

Field	Operator	Value
URI Path	wildcard	/graphql/*

If you are using the Expression Editor:
(http.request.uri.path wildcard "/graphql/*")

With the same characteristics:

• Header value of > x-api-key
• Data center ID (included by default in the dashboard, but not shown)

When rate exceeds: Complexity based

• Score per period: 400
• Period: 1 minute
• Response header name: my-score

Then take action:

• Choose action: Block

With the following behavior: Block for the selected duration

• Duration: 10 minutes

For an API example with this rule configuration, refer to Create a rate limiting rule via API.