Troubleshooting Cloudflare Rate Limiting

Troubleshoot common issues that prevent proper Rate Limiting request matches as well as cause errors via the Cloudflare API.


Overview

A few common Rate Limiting configuration issues prevent proper request matches:

  • Including HTTP or HTTPS protocol schemes in rule patterns (such as https://example.com/*). To restrict rules to match only HTTP or HTTPS traffic, use the schemes array in the request match, e.g. "schemes": [ "HTTPS" ]
  • Forgetting a trailing slash character (/). Cloudflare Rate Limiting only treats requests for the homepage (such as example.com and example.com/) as equivalent, but not any other path (such as example.com/path/ and example.com/path)To match request paths both with and without the trailing slash, use a wildcard match (such as example.com/path*
  • Including a query string or anchor (such as example.com/path?foo=bar or example.com/path#section1).   A rule like example.com/path will match requests for example.com/path?foo=bar.
  • Overriding a rate limit with IP Access Rules.

Also, there are a few common errors that prevent configuring Rate Limiting via the Cloudflare API:  

  • Decoding is not yet implemented - Indicates that your request is missing the Content-Type: application/json header. Add the header to your API request to fix the issue.
  • Ratelimit.api.not_entitled - Enterprise customers must contact their Cloudflare Account Team before adding rules.
  • Other errors are documented in the API documentation. If you're unsure about a particular error, contact Cloudflare Support and provide the failed API request after redacting your API key.

The origin_traffic parameter can only be set on Enterprise plans. Setting origin_traffic = false for a rule on a Free, Pro, or Enterprise domain is automatically converted into origin_traffic = true.


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.