SOLUTIONS
Deliver Superior Online Experiences
Mitigate DDoS Attacks Stop Malicious Bot Abuse Accelerate Internet Applications Ensure Application Availability Optimize Web Experiences Stream Videos On-Demand
Secure Employee Applications and Devices
Deliver Zero Trust Access to Applications Implement Secure Access Service Edge (SASE) Protect Users Accessing the Internet Protect Corporate Networks Manage Secure Contractor Access Replace Virtual Private Networks (VPNs) Secure Your Remote Workforce Stop Zero Day Attacks with Browser Isolation
 
Protect and Accelerate Networks
Mitigate L3 DDoS Attacks Connect network infrastructure with Cloudflare Transform Corporate Networks
Code on the Network Edge
Build a Serverless Application Deploy a Static Website Configure a CDN Define Conditional Request Routing
Manage a Secure Cloud
Secure Hybrid, Cloud, & SaaS Platforms Enable SSL for SaaS Applications Reduce Cloud Data Transfer Costs
Register a Website
Register or Transfer a Website
INDUSTRIES
eCommerce Financial Services Gaming Healthcare and Life Sciences Media and Entertainment Public Sector SaaS
PUBLIC INTEREST
Election Campaigns Athenian Project Project Galileo Project Fair Shot
FOR INFRASTRUCTURE
Application & Network Security
DDoS Protection WAF Bot Management Magic Transit Magic WAN Rate Limiting SSL / TLS SSL/TLS for SaaS Providers Cloudflare Spectrum Network Interconnect
Performance & Reliability
CDN DNS Argo Smart Routing Load Balancing Stream Delivery China Network Waiting Room
FOR TEAMS
Cloudflare for Teams Access Gateway Browser Isolation
FOR DEVELOPERS
Serverless Applications
Cloudflare Workers Cloudflare Workers KV
Domain Registration
Cloudflare Registrar
Website Development
Cloudflare Pages Cloudflare Stream
SaaS Developers
Cloudflare for SaaS
FOR EVERYONE
1.1.1.1 1.1.1.1 with WARP (App) 1.1.1.1 for Families
INSIGHTS
Analytics Cloudflare Logs Web Analytics Cloudflare Radar
PRIVACY
Data Localization Compliance
FOR INFRASTRUCTURE
Advanced Security
Bot Management Firewall rules Magic Transit Spectrum (TCP/UDP) SSL WAF
Performance & Reliability
CDN DNS Image Resizing Load Balancing Stream (Video)
 
Insights
Analytics
Domain Registration
Registrar
FOR SERVERLESS APPLICATIONS
Workers Quick Start Cloudflare Pages Sample Workers Projects Workers Tutorials Command-line (Wrangler) Runtime
FOR TEAMS
Cloudflare for Teams
EXPLORE CLOUDFLARE API
Cloudflare API API Authentication
DOCUMENTATION HUB
Dev Documentation Hub
RESOURCES
Resource Hub Whitepapers Webinars Solutions & Product Guides Case Studies Analysts
EXPLORE
What's New? Network Map Cloudflare in China GDPR
GET STARTED
Register Your Website Welcome Center Get Help
LEARN
Learning Center Security DDoS Bot Management SSL Identity and Access Management Performance CDN DNS Cloud Serverless Network Layer
CONNECT
Blog Community
COMPLIANCE
GDPR Transparency Report Compliance
CONTACT
+1 650 319 8930
CHANNEL & ALLIANCE PARTNERS
Partner Network Partner Portal
TECHNOLOGY PARTNERS
Overview Analytics Partners Bandwidth Alliance Endpoint Security Partnerships Interconnect Partnerships Network On-ramp Partnerships Peering Portal
PRICING BY PLAN
Free Pro Business Enterprise
COMPARE AND EXPLORE
Need Help Choosing a Plan? Add Ons Compare All Plans

Cloudflare Rate Limiting

Control to block suspicious visitors

Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer.

Cloudflare’s 59 Tbps global anycast network is 23x bigger than the largest DDoS attack ever recorded, allowing all internet assets on Cloudflare’s network to withstand even massive DDoS attacks.

Rate Limiting provides the ability to configure thresholds, define responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints. It adds granular HTTP/HTTPS traffic control to complement Cloudflare’s DDoS protection and Web Application Firewall (WAF) solutions. Cloudflare charges based on “good” requests i.e requests that match a rule you have created and are allowed to origin servers. This also reduces bandwidth costs by eliminating unpredictable traffic spikes or attacks.

Start Rate Limiting malicious traffic for free today.

Sign up Contact Sales
View in Dashboard

Looking for enterprise-grade solutions? Contact Sales

CloudFlare DDOS illustration
Layer 7 DDoS Mitigation

Layer 7 DDoS Mitigation

High precision distributed denial-of-service protection through granular configuration options.

API Protection

API Protection

Set API usage limits to ensure availability and protect against abuse.

Brute Force Protection

Brute Force Protection

Protect sensitive customer information against brute force login attacks.

Cost Savings

Cost Savings

Avoid unpredictable costs associated with traffic spikes or attacks on auto-scaling resources by only allowing good traffic through.

"Rate Limiting ensures I can keep running my service reliably, cost effectively and ethically."
TROY HUNT
Founder at HaveIBeenPwned.com

Rate Limiting in Action

This interactive demo provides three different scenarios on how to utilize rate limiting to protect your endpoints from suspicious requests. Select one of the demos below to see rate limiting in action.

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.

  • Brute Force Login Protection

  • API Abuse Protection

  • High Precision DDoS Protection

protect
Demo: Brute Force Login Protection

Attempt to login more than 2 times in under 1 minute

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.

Login

Demo: API Abuse Protection

Refresh the content more than 2 times in under 1 minute

Sophisticated DDoS attacks are difficult to mitigate because they come from a large number of unique IP addresses and mimic legitimate traffic. The demo below uses Rate Limiting to allow up to 2 requests per minute before blocking a potential DDoS attack.

curl -X GET "https://api.cloudflare.com/client/v4/zones/cd7d0123e3012345da9420df9514dad0"
Demo: High Precision DDoS Protection

Refresh the content more than 2 times in under 1 minute

Sophisticated DDoS attacks are difficult to mitigate because they come from a large number of unique IP addresses and mimic legitimate traffic. The demo below uses Rate Limiting to allow up to 2 requests per minute before blocking a potential DDoS attack.

Refreshing... Content loaded successfully. Try refreshing again Request blocked. Try again in 3 minutes
rate limiting rules

Configure Thresholds

Protect your website URLs or API endpoints from suspicious requests that exceed defined thresholds. Granular configuration options including request limits, requests methods, and more.

Define Responses

Website and API visitors hitting defined request thresholds can trigger custom responses, such as mitigating actions (challenges or CAPTCHAS), response codes (Error 401 - Unauthorized), timeouts, and blocking.

rate limiting insights 1

Analytical Insight

Gain deep insights into traffic patterns to help scale and protect your resources. See how much malicious traffic is blocked by rule, how many requests make it to your origin, and more.

Only Pay for Good Traffic. Not Bad.

Cloudflare Rate Limiting can be activated for free. Self-serve plans include 10,000 free requests per month and Enterprise plans allow for unlimited rate limiting. We only charge for good traffic passing through the rate limited endpoints of your website or API. Good traffic means requests that do not exceed your rate limited thresholds.

Requests per IP address matching the traffic pattern.

Rate limiting graph

Cloudflare Features

Cloudflare's Performance and Security Services work in conjunction to reduce latency of websites, mobile applications, and APIs end-to-end, while protecting against DDoS attack, abusive bots, and data breach.

Performance

Cloudflare Performance Services improve conversions, reduce churn, and improve visitor experiences by accelerating web and mobile performance, while keeping applications available.

  • content delivery network

    Content Delivery Network (CDN)

    Spanning 200 cities across 100 countries, Cloudflare’s Anycast CDN caches static content at the edge, reducing latency by delivering assets as close as geographically possible to visitors.
    Learn More
  • website optimization

    Website Optimizations

    Cloudflare includes a suite of web optimizations to improve the performance of Internet assets. Optimizations include the latest web standards, such as HTTP/2 and TLS 1.3, as well as proprietary enhancements for images and mobile device visitors.
    Learn More
  • dns

    DNS

    Cloudflare is the fastest managed DNS provider in the world. Cloudflare has multiple ways to achieve maximum performance for online assets.
    Learn More
  • load balancing

    Load Balancing

    Cloudflare Load Balancing provides load balancing, geo-steering, monitoring and failover for single, hybrid-cloud, and multi-cloud environments, enhancing performance and availability.
    Learn More
  • argo smart routing

    Argo Smart Routing

    Argo Smart Routing improves Internet asset performance on average of 30% by routing visitors through the least congested and most reliable paths on Cloudflare's private network.
    Learn More
  • railgun

    Railgun™

    Railgun compresses previously unreachable web objects by leveraging techniques similar to those used in the compression of high-quality video. This can result in additional performance increase.
    Learn More
  • cloudflare stream

    Stream

    Cloudflare Stream makes streaming high quality video at scale, easy and affordable.
    Learn More
  • cloudflare workers

    Workers

    Cloudflare Workers let developers run JavaScript Service Workers in Cloudflare's global cloud network across 200 cities.
    Learn More

Security

Cloudflare Security Services reduce the risk of lost customers, declining revenues, and degraded brand by protecting against DDoS attacks, abusive bots, and data breach.

  • anycast network

    Anycast Network

    With 200 cities across 100 countries and 59 Tbps of capacity, Cloudflare’s Anycast network absorbs distributed attack traffic by dispersing it geographically, while keeping Internet properties available and performant.
    Learn More
  • dnssec

    DNSSEC

    DNSSEC is the Internet’s non-spoofable caller ID. It guarantees a web application’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden “on-path” attacker.
    Learn More
  • web application firewall (waf)

    Web Application Firewall (WAF)

    Cloudflare’s enterprise-grade web application firewall (WAF) detects and block common application layer vulnerabilities at the network edge, utilising the OWASP Top 10, application-specific and custom rulesets.
    Learn More
  • rate limiting

    Rate Limiting

    Rate Limiting protects critical resources by providing fine-grained control to block or qualify visitors with suspicious request rates.
    Learn More
  • ssl/tls

    SSL / TLS

    Transport Layer Security (TLS) encryption enables HTTPS connections between visitors and origin server(s), preventing on-path attacks, packet sniffing, the display of web browser trust warnings, and more.
    Learn More
  • secure registrar

    Secure Registrar

    Cloudflare is an ICANN accredited registrar, protecting organizations from domain hijacking with high-touch, online and offline verification for any changes to a registrar account.
    Learn More
  • orbit

    Orbit

    Cloudflare Orbit solves security-related issues for Internet of Things devices at the network level.
    Learn More
  • argo tunnel

    Argo Tunnel

    Cloudflare creates an encrypted tunnel between its nearest data center and an application’s origin server without opening a public inbound port.
    Learn More
  • cloudflare access

    Access

    Secure, authenticate, and monitor user access to any domain, application, or path on Cloudflare.
    Learn More
  • cloudflare spectrum

    Spectrum

    Spectrum protects TCP applications and ports from volumetric DDoS attacks and data theft by proxying non-web traffic through Cloudflare’s Anycast network.
    Learn More

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.