Skip to content

Features

Rate limiting is composed of the following parameters:

  • An expression that specifies the criteria you are matching traffic on using the Rules language.
  • An action that specifies what to perform when there is a match for the rule and any additional conditions are met. In the case of rate limiting rules, the action occurs when the rate reaches the specified limit.

Besides these two parameters, rate limiting rules require the following additional parameters:

  • Characteristics: The set of parameters that define how Cloudflare tracks the rate for this rule.
  • Period: The period of time to consider (in seconds) when evaluating the rate.
  • Requests per period: The number of requests over the period of time that will trigger the rate limiting rule.
  • Duration (or mitigation timeout): Once the rate is reached, the rate limiting rule blocks further requests for the period of time defined in this field.
  • Action behavior: By default, Cloudflare will apply the rule action for the configured duration (or mitigation timeout), regardless of the request rate during this period. Some Enterprise customers can configure the rule to throttle requests over the maximum rate, allowing incoming requests when the rate is lower than the configured limit.

Features by plan type

Features vary by plan type.

FeatureFreeProBusinessEnterprise with app securityEnterprise with Advanced Rate Limiting
Available fields
in rule expression
Path, Verified BotHost, URI, Path, Full URI, Query, Verified BotHost, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified BotStandard fields, request header fields, dynamic fields (including Verified Bot), other Bot Management fields1Standard fields, request header fields, dynamic fields (including Verified Bot), other Bot Management fields1, request body fields2
Counting characteristicsIPIPIPIP, IP with NAT supportIP, IP with NAT support, Query, Host, Headers, Cookie, ASN, Country, Path, JA3/JA4 Fingerprint1, JSON field value2, Body2, Form input value2, Custom
Available fields
in counting expression
N/AN/AAll rule expression fields, Response code, Response headersAll rule expression fields, Response code, Response headersAll rule expression fields, Response code, Response headers
Counting modelNumber of requestsNumber of requestsNumber of requestsNumber of requestsNumber of requests,
complexity score
Rate limiting
action behavior
Perform action during mitigation periodPerform action during mitigation periodPerform action during mitigation periodPerform action during mitigation period,
Throttle requests above rate with block action
Perform action during mitigation period,
Throttle requests above rate with block action
Counting periods10 s10 s, 1 min10 s, 1 min, 10 min10 s, 1 min, 2 min, 5 min, 10 min10 s, 1 min, 2 min, 5 min, 10 min, 1 h
Mitigation timeout periods10 s10 s, 1 min, 1 h10 s, 1 min, 1 h, 1 day10 s, 1 min, 2 min, 5 min, 10 min, 1 h, 1 day310 s, 1 min, 2 min, 5 min, 10 min, 1 h, 1 day3
Number of rules1255 or more4100

1 Only available to Enterprise customers who have purchased Bot Management.
2 Availability depends on your WAF plan.
3 Enterprise customers can specify a custom mitigation timeout period via API.
4 Enterprise customers must have application security on their contract to get access to rate limiting rules. The number of rules depends on the exact contract terms.