Cloudflare Rate Limiting: Setup, Rules & Best Practices

Uncategorized
By Azon Vault

Have you ever woken up to find your site slowed to a crawl, or your API bill spiked because of a flood of bot traffic? Malicious actors, scrapers, and DDoS attacks target sites of all sizes, and without the right protections, your origin server can get overwhelmed fast. That’s where Cloudflare Rate Limiting comes in.

Cloudflare Rate Limiting is a native security feature that lets you control exactly how much traffic your site accepts, stopping bad actors before they even reach your servers. It runs on Cloudflare’s global network of 300+ data centers, so rules apply instantly to traffic worldwide.

What Is Cloudflare Rate Limiting?

Cloudflare Rate Limiting is a configurable rule-based tool that restricts the number of requests a single visitor (or group of visitors) can make to your site within a set time window. Unlike origin-server rate limiting, which processes rules after traffic hits your infrastructure, Cloudflare’s version filters traffic at the edge, so your servers never waste resources on blocked requests.

You can set rules based on IP address, request headers, cookies, URL paths, or HTTP methods, and choose to block, challenge, or just log traffic that exceeds your thresholds. It works alongside Cloudflare WAF, DDoS protection, and bot management tools for layered security.

Why Use Cloudflare Rate Limiting?

Cloudflare Rate Limiting solves several common site and API security pain points:

  • Stop DDoS attacks: Block volumetric and application-layer DDoS floods before they reach your origin server.
  • Prevent API abuse: Cap excessive calls to your API endpoints to avoid overage charges and server strain.
  • Block brute force attacks: Limit login page requests to stop credential stuffing and password guessing attempts.
  • Reduce server load: Filter out malicious or unnecessary traffic so your origin only processes legitimate requests.
  • Enforce traffic policies: Set custom limits for SaaS users, partners, or internal teams to comply with your service terms.

How to Set Up Cloudflare Rate Limiting (Step-by-Step)

Cloudflare Rate Limiting is easy to configure, even for beginners. Note: Free plan users get 1 active rate limit rule, while Pro (10 rules), Business (50 rules), and Enterprise (custom limits) plans offer more flexibility.

Prerequisites

  • An active Cloudflare account with your site added and proxied through Cloudflare (orange cloud enabled)
  • Access to your Cloudflare dashboard security settings

Step 1: Access Rate Limiting Settings

Log into your Cloudflare dashboard, select the site you want to protect, then navigate to Security > Rate Limiting. Click the Create rate limit rule button to start a new configuration.

Step 2: Define Rule Scope

Choose which traffic the rule applies to. You can use:

  • All traffic to your site
  • Specific URL paths (e.g., /api/*, /login)
  • HTTP methods (GET, POST, PUT, etc.)
  • Request headers or cookies (e.g., API keys, user agents)

Use AND/OR logic to combine filters for more precise targeting. For example, you might apply a rule only to POST requests to /login.

Step 3: Set Rate Limit Threshold

Define your limit: choose a time window (10 seconds to 1 hour) and the maximum number of allowed requests (1 to 100,000) per tracking criteria (default is per IP address). For example, 100 requests per 10 minutes per IP is a common starting point for general site traffic.

Step 4: Configure Action on Limit Reached

Select what happens when a visitor exceeds the limit:

  • Block: Return a 429 Too Many Requests error, and set a block duration (1 minute to 1 hour, or indefinite).
  • Challenge: Present a Cloudflare CAPTCHA or JS challenge to verify the visitor is human.
  • Log only: Track violations without taking action, ideal for testing rules before enforcement.

Step 5: Name and Deploy the Rule

Give your rule a clear, descriptive name (e.g., api-abuse-limit-1000-per-hour) so you can easily identify it later. Toggle the rule to On, then click Deploy to activate it.

Cloudflare Rate Limiting Best Practices

Follow these tips to avoid false positives and get the most out of your rate limit rules:

  • Always start with log-only mode to test rules for 1-2 weeks before blocking traffic, to avoid blocking legitimate users.
  • Use specific URL scopes instead of applying rules to all traffic, to minimize impact on regular visitors.
  • Create separate rules for known good bots (e.g., Googlebot, Bingbot) to exempt them from strict limits.
  • Combine rate limiting with Cloudflare WAF rules to block traffic from high-risk regions or malicious IP ranges first.
  • Monitor rate limit analytics weekly to adjust thresholds as your traffic patterns change.
  • Set shorter block times (5-15 minutes) for first-time violators, and longer durations for repeat offenders.

Common Use Cases for Cloudflare Rate Limiting

Most site owners use Cloudflare Rate Limiting for one of these core scenarios:

  1. Login page protection: Limit POST requests to /login to 5 per 10 minutes per IP to stop brute force attacks.
  2. API security: Cap GET/POST requests to /api/v1/* to 1000 per hour per API key to prevent abuse.
  3. DDoS mitigation: Set a global limit of 500 requests per minute per IP to block volumetric flood attacks.
  4. Scraping prevention: Limit requests to product or pricing pages to 50 per hour per IP to stop competitor scraping.

Frequently Asked Questions

Q: Is Cloudflare Rate Limiting free?

A: Free Cloudflare plans include 1 active rate limit rule. Paid Pro, Business, and Enterprise plans offer 10, 50, and custom rule limits respectively.

Q: Can I rate limit by API key instead of IP?

A: Yes, you can set rate limits based on custom request headers (like your API key header) or cookies, not just IP addresses.

Q: Will Cloudflare Rate Limiting block legitimate users?

A: It can if thresholds are set too low or rules are applied too broadly. Always start with log-only mode, and use specific URL scopes to avoid blocking regular traffic.

Q: How do I monitor rate limit violations?

A: Go to your Cloudflare dashboard > Analytics > Security to view rate limit events, including blocked IPs, request counts, and triggered rules.

Conclusion

Cloudflare Rate Limiting is one of the simplest, most effective ways to protect your site and APIs from malicious traffic, abuse, and overload. Because it runs at the edge on Cloudflare’s global network, you get instant protection without adding latency for legitimate visitors.

Start with a single log-only rule to test the feature, then adjust thresholds and actions as you learn your traffic patterns. For full site security, pair Cloudflare Rate Limiting with Cloudflare WAF and bot management tools.

Ready to secure your site? Log into your Cloudflare dashboard today to set up your first rate limit rule. For more security tips, check out our related guide on Cloudflare WAF configuration (internal link idea). You can also refer to Cloudflare’s official rate limiting documentation for technical specifications (external authority reference).

Azon Vault 3657 posts 0 comments
You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.