Rate Limiting protects against denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer.
Cloudflare’s 10 Tbps global anycast network is 10X bigger than the largest DDoS attack ever recorded, allowing all internet assets on Cloudflare’s network to withstand even massive DDoS attacks. Rate Limiting provides the ability to configure thresholds, define responses, and gain analytical insights into endpoints of your website, application, or API. It adds fine-grained traffic control to complement Cloudflare’s DDoS protection and web application firewall (WAF) services.
Cloudflare Rate Limiting gives you ultimate control over your HTTP/HTTPS traffic. Cloudflare charges based on “good” request traffic, eliminating the need to pay the cost of unpredictable traffic spikes or attacks. Start rate limiting your traffic for free today.
Protect the endpoints of your website or API from suspicious requests that exceed defined thresholds. Configure fine-grained request limits or client parameters, such as a specific IP address.
Website and API visitors hitting defined request thresholds trigger custom responses, such as mitigating actions (challenges or CAPTCHAS), response codes (Error 401 - Unauthorized), timeouts, and blocking.
Analytical Insight (Coming Soon)
Gain deep insights into traffic and usage patterns to help scale and protect your resources. View request traffic in sum, or on a per rule basis. Get even more granular by viewing within a specific scope of time.
Cloudflare Rate Limiting can be activated for free. Self-serve plans include 10,000 free rate limited requests per month and Enterprise plans allow for unlimited rate limiting. We only charge for good traffic passing through the rate limited endpoints of your website or API. Good traffic means requests that do not exceed your rate limited thresholds.