Cloudflare Rate Limiting

Fine-grained control to block visitors with suspicious request rates

Rate Limiting protects against denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer.

Cloudflare’s 10 Tbps global anycast network is 10X bigger than the largest DDoS attack ever recorded, allowing all internet assets on Cloudflare’s network to withstand even massive DDoS attacks. Rate Limiting provides the ability to configure thresholds, define responses, and gain analytical insights into endpoints of your website, application, or API. It adds fine-grained traffic control to complement Cloudflare’s DDoS protection and web application firewall (WAF) services.

Cloudflare Rate Limiting gives you ultimate control over your HTTP/HTTPS traffic. Cloudflare charges based on “good” request traffic, eliminating the need to pay the cost of unpredictable traffic spikes or attacks. Start rate limiting your traffic for free today.

Contact Our Team
Singapore callers: +65 3158 3954
International callers: +1 (650) 319 8930

Already a Cloudflare customer? Activate Rate Limiting


Precise DoS Mitigation

High precision denial-of-service protection through robust configuration options.

API in browser

Ensure Availability

Avoid service disruptions by setting usage limits on HTTP/HTTPS requests.

Browser with cloud icon

Protect Customer Data

Protect sensitive customer information against brute force login attacks.

Lock in front of data

Cost Protection

Avoid the unpredictable cost of traffic spikes or attack by setting thresholds which only allow good traffic through.

Rate Limiting ensures I can keep running my service reliably, cost effectively and ethically.
Founder at

Rate Limiting in Action

This interactive demo provides three different scenarios on how to utilize rate limiting to protect your endpoints from suspicious requests. Select one of the demos below to see rate limiting in action.

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.

  • Brute Force Login Protection

  • API Abuse Protection

  • High Precision DDoS Protection

Demo: Brute Force Login Protection

Attempt to login more than 2 times in under 1 minute

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.


Demo: API Abuse Protection

Click "Run" to initiate excessive API requests

This example shows simulates a content scraper programmatically sending requests to an API. With Rate Limiting, we mitigate API service degradation by allowing 10 requests to our endpoint before serving a custom JSON response.

curl -X GET ""
Demo: High Precision DDoS Protection

Refresh the content more than 2 times in under 1 minute

Sophisticated DDoS attacks are difficult to mitigate because they come from a large number of unique IP addresses and mimic legitimate traffic. The demo below uses Rate Limiting to allow up to 2 requests per minute before blocking a potential DDoS attack.

Refreshing... Content loaded successfully. Try refreshing again Request blocked. Try again in 3 minutes

Configure Thresholds

Protect the endpoints of your website or API from suspicious requests that exceed defined thresholds. Configure fine-grained request limits or client parameters, such as a specific IP address.

Define Responses

Website and API visitors hitting defined request thresholds trigger custom responses, such as mitigating actions (challenges or CAPTCHAS), response codes (Error 401 - Unauthorized), timeouts, and blocking.

Analytical Insight (Coming Soon)

Gain deep insights into traffic and usage patterns to help scale and protect your resources. View request traffic in sum, or on a per rule basis. Get even more granular by viewing within a specific scope of time.

Only Pay for Good Traffic. Not Bad.

Cloudflare Rate Limiting can be activated for free. Self-serve plans include 10,000 free rate limited requests per month and Enterprise plans allow for unlimited rate limiting. We only charge for good traffic passing through the rate limited endpoints of your website or API. Good traffic means requests that do not exceed your rate limited thresholds.

Already a Cloudflare customer? Activate Rate Limiting

Making the Internet Work the Way It Should for Anything Online

Cloudflare speeds up and protects millions of websites, APIs, SaaS services, and other properties connected to the Internet. Our Anycast technology enables our benefits to scale with every server we add to our growing footprint of data centers.


Cloudflare is dedicated to enabling the best possible performance for our customers. Our global network speeds up and streamlines connections from visitors to their online destinations in a number of key ways:

  • CDN

    Moving content physically closer to visitors with our CDN is one of easiest way to improve the performance of your website and reduce load on your web servers.
  • Website Optimization

    Cloudflare lets you automatically enable the latest in web technologies. Our web optimization features cover everything from mobile image optimization to aggressive GZIP and HTTP/2.
  • DNS

    Cloudflare is one of the fastest managed DNS providers in the world. The same 102 data center network that powers our CDN dramatically speeds up domain resolution for your website’s visitors.
  • Load Balancing

    Cloudflare Load Balancing provides load balancing, geo-steering, monitoring and failover for your Internet facing infrastructure enhancing service availability.
  • SSL

    Modern SSL isn’t just for security—it can actually improve the performance of your website by leveraging features like OCSP stapling, session resumption, HTTP/2, and TLS 1.3.


As applications move to the cloud, their security needs to move with them. Cloudflare’s security services operate at the edge of the network, making it possible to identify and mitigate threats faster than on-premise solutions.

  • DDoS Protection

    Our enterprise-class DDoS protection network has 20 times more capacity than the largest DDoS attack ever recorded. Operating at the network edge, it protects against all forms of DDoS attacks.
  • WAF

    Our web application firewall benefits from the collective intelligence of our entire network. When we identify a new threat from one website, we can automatically block it from the other 6 million websites on our network.
  • Secure Registrar

    Registering your domain through Cloudflare is the most secure way to protect your trademark from domain hijacking.
  • Dedicated SSL Certificates

    With a few clicks within the Cloudflare dashboard, you can easily and quickly issue new certificates, securely generate private keys and more. Dedicated SSL Certificates are available for purchase on all Cloudflare pricing plans.
  • Rate Limiting

    Rate Limiting gives you granular controls to detect bad traffic, customized rulesets to ensure that your legitimate visitors are not impacted, and insights to improve your security posture as attacks evolve.