Cloudflare Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer.
Overview
Cloudflare Rate Limiting supports multiple levels of configuration control depending on the Cloudflare plan that your zone is subscribed to.
You can see a list of existing rules for your zone under the Rate Limiting section of the Firewall app under the Tools tab in the Cloudflare dashboard. This is where you can add, edit, and remove existing rules.
The instructions in this page are tiered based on the different customer plans. The table below maps out what you can do based on your plan.
# | Task | Available in |
---|---|---|
1 | Configure a basic Rate Limiting rule | All plans |
2 | Configure Advanced Criteria | Business and Enterprise plans |
3 | Configure Advanced Response | Business and Enterprise plans |
4 | Configure the Bypass option | Enterprise plan |
The tasks in this page are designed to help you get started. For more in-depth information, consult Cloudflare Rate Limiting.
Task 1: Configure a basic Rate Limiting rule
To configure a basic rate limiting rule:
1. Log in to the Cloudflare dashboard.
2. Ensure the website you want to update is selected.
3. Click the Firewall app and select the Tools tab.
4. Click Create a custom rule. A dialog opens where you specify the details of your new rule.
5. Enter a descriptive Rule Name.
6. For If Traffic Matching the URL, select an HTTP scheme from the dropdown as well as a URL.
7. In from the same IP address exceeds, enter an integer greater than 1 to represent the number of requests in a sampling period.
8. For requests per, select the sampling period (the period during which requests are counted).
9. For the Then dropdown, pick one of the available actions based on your plan:
"Then" action | Description | Available in |
---|---|---|
Block | Cloudflare issues a 429 error when the threshold is exceeded. | All plans |
Challenge | User has to pass a Google reCaptcha Challenge before proceeding. If successful, Cloudflare accepts the request. Otherwise, the request is blocked. | Pro, Business, and Enterprise plans |
JS Challenge | User has to pass a Cloudflare Javascript Challenge before proceeding. If successful, Cloudflare accepts the request. Otherwise, the request is blocked. | |
Simulate | Cloudflare does not block any requests but instead, logs them in Cloudflare Logs (formerly known as Enterprise Log Share or ELS) as simulate. You can use this option to test your rule before applying any of the other options in your live environment. |
10. If you selected Block or Simulate, for matching traffic from that visitor for, select how long to apply the option once a threshold has been triggered.
11. To activate your new rule, click Save and Deploy.
Once deployed, your new rule is listed under the Rate Limiting section of the Firewall app under the Tools tab.
At this point and based on your plan, you can edit your rule to add Advanced Criteria, Advanced Response, and Bypass details.
Task 2: Configure Advanced Criteria
The Advanced Criteria option allows you to specify which HTTP methods, header responses, and origin response codes to match for your Rate Limiting rule.
To configure your advanced criteria while creating a new rule or editing an existing one, follow these steps:
1. In the dialog, click Advanced Criteria. That section of the dialog expands to display the options available.
2. Select a value form the Method(s) dropdown. The value of ANY is selected by default to match all HTTP methods.
3. Update HTTP Response Header(s) by editing the default header included. You can also Add header response field to include headers returned by your origin web server.
4. Under Origin Response code(s), type the valid numerical value of each HTTP response code to match. To include 2 or more response codes, separate each value with a comma; for example, you can enter 401, 403 if you only want those two response codes to count.
5. At this point, you can deploy your changes by clicking Save and Deploy or configure additional features based on your plan.
Task 3: Configure Advanced Response
The Advanced Response option allows you to specify the format of the information returned by Cloudflare when a rule's threshold has been exceeded and requests are being blocked.
Enterprise customers are the only ones who can view the log entries generated by a Rate Limiting rule through Cloudflare Logs (formerly Enterprise Log Share or ELS). To learn more, see Cloudflare Logs and Rate Limiting. Non-Enterprise customers can get a sense of logged entries by looking at the Rate Limiting Analytics graph.
Configure your advanced response
To configure your advanced response while creating a new rule or editing an existing one, follow these steps:
1. In the dialog, click Advanced Response. That section of the dialog expands to display a dropdown.
2. In the Response type dropdown, select an available format. The top limit for response size is 32kb.
3. At this point you can deploy your changes by clicking Save and Deploy, or configure additional features based on your plan.
Task 4: Configure the Bypass option
Bypass lets you create the equivalent of a whitelist or exception for a set of URLs. That is, no actions trigger for those URLs even if the Rate Limiting rule is matched.
To configure your bypass while creating a new rule or editing an existing one, follow these steps:
1. In the dialog, click Bypass. That section of the dialog expands to display a text box.
2. In the Bypass rule for these URLs text box, enter the URL(s) to apply the exception to. Each URL must be in its own line.
3. At this point you can deploy your changes by clicking Save and Deploy, or configure additional features based on your plan.
Next steps
Visit Cloudflare Rate Limiting for more in-depth information.