Troubleshooting Cloudflare Rate Limiting

Troubleshoot common issues that prevent proper Rate Limiting request matches as well as cause errors via the Cloudflare API.


A few common Rate Limiting configuration issues prevent proper request matches:

  • Including HTTP or HTTPS protocol schemes in rule patterns (such as*). To restrict rules to match only HTTP or HTTPS traffic, use the schemes array in the request match, e.g. "schemes": [ "HTTPS" ]
  • Forgetting a trailing slash character (/). Cloudflare Rate Limiting only treats requests for the homepage (such as and as equivalent, but not any other path (such as and match request paths both with and without the trailing slash, use a wildcard match (such as*
  • Including a query string or anchor (such as or   A rule like will match requests for
  • Overriding a rate limit with IP Access Rules.

Also, there are a few common errors that prevent configuring Rate Limiting via the Cloudflare API:  

  • Decoding is not yet implemented - Indicates that your request is missing the Content-Type: application/json header. Add the header to your API request to fix the issue.
  • Ratelimit.api.not_entitled - Enterprise customers must contact their Cloudflare Account Team before adding rules.
  • Other errors are documented in the API documentation. If you're unsure about a particular error, contact Cloudflare Support and provide the failed API request after redacting your API key.

The origin_traffic parameter can only be set on Enterprise plans. Setting origin_traffic = false for a rule on a Free, Pro, or Enterprise domain is automatically converted into origin_traffic = true.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.