Cloudflare Advanced Rate Limiting

Granular controls to block abuse

Advanced rate limiting protects against denial-of-service attacks, brute-force login attempts, API traffic surges and other types of abuse targeting APIs and applications.

Powerfully configure thresholds, define traffic, customize responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints. Advanced rate limiting is integrated with our WAF custom rules and acts as a natural complement to DDoS and API security.

View in Dashboard

Looking for enterprise-grade solutions? Contact Sales

simple integration spot illustration 3x 8 1200x727 4586163
Layer 7 DDoS Mitigation

Layer 7 DDoS Mitigation

High precision distributed denial-of-service protection through granular configuration options.

API Protection

API Protection

Match traffic on specific API attributes like tokens, API keys or cookies for API usage limits that ensure availability and stop abuse.

Brute Force Protection

Brute Force Protection

Protect sensitive customer information against brute force login attacks.

Cost Effective

Cost Effective

Avoid unpredictable costs associated with traffic spikes or attacks on auto-scaling resources by only allowing good traffic through.

"Rate Limiting ensures I can keep running my service reliably, cost effectively and ethically."
TROY HUNT
Founder at HaveIBeenPwned.com

Rate Limiting in Action

This interactive demo provides three different scenarios on how to utilize rate limiting to protect your endpoints from suspicious requests. Select one of the demos below to see rate limiting in action.

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.

  • Brute Force Login Protection

  • API Abuse Protection

  • High Precision DDoS Protection

protect
Demo: Brute Force Login Protection

Attempt to login more than 2 times in under 1 minute

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.

Login

Demo: API Abuse Protection

Refresh the content more than 2 times in under 1 minute

Sophisticated DDoS attacks are difficult to mitigate because they come from a large number of unique IP addresses and mimic legitimate traffic. The demo below uses Rate Limiting to allow up to 2 requests per minute before blocking a potential DDoS attack.

curl -X GET "https://api.cloudflare.com/client/v4/zones/cd7d0123e3012345da9420df9514dad0"
Demo: High Precision DDoS Protection

Refresh the content more than 2 times in under 1 minute

Sophisticated DDoS attacks are difficult to mitigate because they come from a large number of unique IP addresses and mimic legitimate traffic. The demo below uses Rate Limiting to allow up to 2 requests per minute before blocking a potential DDoS attack.

new rl rule

Configure Thresholds

Protect your website URLs or API endpoints from suspicious requests that exceed defined thresholds. Granular configuration options including request limits, requests methods, and more.

Define Responses

Website and API visitors hitting defined request thresholds can trigger custom responses, such as mitigating actions (challenges or CAPTCHAS), response codes (Error 401 - Unauthorized), timeouts, and blocking.

rate limiting insights 1

Analytical Insight

Gain deep insights into traffic patterns to help scale and protect your resources. See how much malicious traffic is blocked by rule, how many requests make it to your origin, and more.