Configuring Cloudflare Rate Limiting

Learn how to configure Cloudflare Rate Limiting to protect your website applications against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior.


Overview

Cloudflare Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain.  Request rates are calculated locally for individual Cloudflare data centers.  The most common uses for Rate Limiting are DDoS protection, Brute-force attack protection, and to limit access to forum searches, API calls, or resources that involve database-intensive operations at your origin. 

Rate Limiting is an add-on service for all customer plans in the Firewall app of the Cloudflare dashboard under the Tools tab.

Once an individual IPv4 address or IPv6 /64 IP range exceeds a rule threshold, further requests to the origin web server are blocked with an HTTP 429 response that includes a Retry-After header to indicate when the client can resume sending requests.

Cached resources and known Search Engine crawlers are exempted from a customer's Rate Limiting rules. Rate Limiting does not negatively affect a website’s SEO ranking.


Analytics

View Rate Limiting analytics in the Cloudflare Analytics app under the Security tab. Rate Limiting analytics uses solid lines to represent traffic that matches simulated requests and dotted lines to portray actual blocked requests. Logs generated by a Rate Limiting rule are only visible to Enterprise customers via Cloudflare Logs

Cloudflare returns an HTTP 429 error for blocked requests.  Details on blocked requests per location are provided to Enterprise customers under Status Codes analytics in the Cloudflare Analytics app under the Traffic tab. 

HTTP 429 includes 429 responses returned from the origin if the origin web server also applies its own rate limiting.


Rate Limiting allowances per plan

The number of allowed Rate Limiting rules depends on the domain’s plan:

Plan # Rules Actions Action Duration Request Period
Free 1 Block 1 minute or 1 hour 10 seconds or 1 minute
Pro 10 Block, Challenge, JS Challenge, or Simulate 1 minute or 1 hour 10 seconds or 1 minute
Business 15 Block, Challenge, JS Challenge, or Simulate 1 minute, 1 hour, or 24 hours 10 seconds, 1 minute, or 10 minutes
Enterprise 100 Block, Challenge, JS Challenge, or Simulate Any duration entered between 10 seconds and 86400 seconds (24 hours) Any value entered between 1 and 3,600 seconds.

Cloudflare Rate Limiting supports multiple levels of configuration control depending on the domain’s Cloudflare plan.  The table below maps out what you can do based on your plan:

#

Task

Available in

1

Configure a basic Rate Limiting rule

All plans

2

Configure Advanced Criteria

Business and Enterprise plans

3

Configure Advanced Response

Business and Enterprise plans

4

Configure the Bypass option

Enterprise plan


Components of a Rate Limiting rule

A Rate Limiting rule consists of three distinct components.  Click a component below to expand the details:

 


Identify rate-limit thresholds

To identify a general threshold for Cloudflare Rate Limiting, divide 24 hours of uncached website requests by the unique visitors for the same 24 hours. Then, divide by the estimated average minutes of a visit.  Finally, multiply by 4 (or larger) to establish an estimated threshold per minute for your website. A value higher than 4 is fine since most attacks are an order of magnitude above typical traffic rates.

To identify URL rate limits for specific URLs, use 24 hours of uncached requests and unique visitors for the specific URL.  Adjust thresholds based on user reports and your own monitoring.


Task 1: Configure a basic Rate Limiting rule

Click to expand details on creating the two common types of Cloudflare Rate Limiting rule.

Any change to a Rate Limiting rule clears that rule’s currently triggered actions. Exercise care when editing Rate Limiting rules for mitigation of an ongoing attack.

In general, when setting a lower threshold:

  1. Leave existing rules in place and add a new rule with the lower threshold.
  2. Once the new rule is in place, wait for the action duration of the old rule to pass before deleting the old rule.

When setting a higher threshold (due to legitimate client blocking), increase the threshold within the existing rule.


Task 2: Configure Advanced Criteria (only Business and Enterprise plans)

The Advanced Criteria option configures which HTTP methods, header responses, and origin response codes to match for your Rate Limiting rule.

To configure your advanced criteria for a new or existing rule, follow these steps:

1. Click Advanced Criteria.

Old URL: https://support.cloudflare.com/hc/article_attachments/360023090851/cf-firewall-rate_limiting_create_rule_advanced_criteria.png
Article IDs: 115001635128 | Configuring Rate Limiting in the Cloudflare Dashboard

2. Select a value from the Method(s) dropdown.  ANY is a default that matches all HTTP methods.

3. Filter by HTTP Response Header(s). The CF-Cache-Status header appears by default so that Cloudflare serves cached resources rather than rate limit those resources.  Click Add header response field to include headers returned by your origin web server.

If you have more than one header under HTTP Response Header(s), an AND boolean logic applies.  To exclude a header, use the Not Equals option. Also, each header is case insensitive.

4. Under Origin Response code(s), enter the numerical value of each HTTP response code to match.  Separate two or more HTTP codes with a comma; for example: 401, 403 

5.  Click Save and Deploy or configure additional Rate Limiting features allowed for your plan.


Task 3: Configure Advanced Response (only Business and Enterprise plans)

The Advanced Response option configures the information format returned by Cloudflare when a rule's threshold is exceeded and is configured via the following steps:

1. Click Advanced Response.

Old URL: https://support.cloudflare.com/hc/article_attachments/360023060072/cf-firewall-rate_limiting-create-rule-advanced_response.png
Article IDs: 115001635128 | Configuring Rate Limiting in the Cloudflare Dashboard

2. Select a Response type format. The maximum response size is 32kb.

To display a custom HTML page or more than the 32kB limit, add a meta refresh to the Rate Limiting rule via the Cloudflare API via the Response object of the Action parameter.  For example: 

"response": { "content_type": "text/html", "body": "\u003cmeta http-equiv=\"refresh\" content=\"0; url=https://www.example.com/about\" /\u003e"}

Your Rate Limiting rule must not match the redirect URL.  To protect from DDoS, the page for the redirect must include resources cached by Cloudflare.

3. Click Save and Deploy or configure additional features based on your plan.


Task 4: Configure the Bypass option (Enterprise plans only)

Bypass creates a whitelist or exception so that no actions apply to a specific set of URLs even if the rate limit is matched.  Configure a Bypass via the following steps:

1. Click Bypass

2. In the Bypass rule for these URLs text box, enter the URL(s) to exempt from the rate limiting rule.  Enter each URL on its own line. An HTTP or HTTPS specified in the URL is automatically removed when the rule is saved and instead applies to both HTTP and HTTPS.

Old URL: https://support.cloudflare.com/hc/article_attachments/360023091091/cf-firewall-rate_limiting-create-rule-bypass.png
Article IDs: 115001635128 | Configuring Rate Limiting in the Cloudflare Dashboard

3. Click Save and Deploy, or configure additional features based on your plan.


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk