Extensions Extension Products
Extensions Extension Products
Extensions Extension Products

Cloudflare Rate Limiting

Control to block suspicious visitors

Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer.

Cloudflare’s 15 Tbps global anycast network is 15x bigger than the largest DDoS attack ever recorded, allowing all internet assets on Cloudflare’s network to withstand even massive DDoS attacks.

Rate Limiting provides the ability to configure thresholds, define responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints. It adds granular HTTP/HTTPS traffic control to complement Cloudflare’s DDoS protection and Web Application Firewall (WAF) solutions. Cloudflare charges based on “good” requests i.e requests that match a rule you have created and are allowed to origin servers. This also reduces bandwidth costs by eliminating unpredictable traffic spikes or attacks.

Start Rate Limiting malicious traffic for free today.

Contact Our Team

Already a Cloudflare customer? Activate Rate Limiting


Layer 7 DDoS Mitigation

High precision distributed denial-of-service protection through granular configuration options.

API in browser

API Protection

Set API usage limits to ensure availability and protect against abuse.

Browser with cloud icon

Brute Force Protection

Protect sensitive customer information against brute force login attacks.

Lock in front of data

Cost Savings

Avoid unpredictable costs associated with traffic spikes or attacks on auto-scaling resources by only allowing good traffic through.

Rate Limiting ensures I can keep running my service reliably, cost effectively and ethically.
Founder at HaveIBeenPwned.com

Rate Limiting in Action

This interactive demo provides three different scenarios on how to utilize rate limiting to protect your endpoints from suspicious requests. Select one of the demos below to see rate limiting in action.

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.

  • Brute Force Login Protection

  • API Abuse Protection

  • High Precision DDoS Protection

Demo: Brute Force Login Protection

Attempt to login more than 2 times in under 1 minute

This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.


Demo: API Abuse Protection

Click "Run" to initiate excessive API requests

This example simulates a content scraper programmatically sending requests to an API. With Rate Limiting, we mitigate API service degradation by allowing 10 requests to our endpoint before serving a custom JSON response.

curl -X GET "https://api.cloudflare.com/client/v4/zones/cd7d0123e3012345da9420df9514dad0"
Demo: High Precision DDoS Protection

Refresh the content more than 2 times in under 1 minute

Sophisticated DDoS attacks are difficult to mitigate because they come from a large number of unique IP addresses and mimic legitimate traffic. The demo below uses Rate Limiting to allow up to 2 requests per minute before blocking a potential DDoS attack.

Refreshing... Content loaded successfully. Try refreshing again Request blocked. Try again in 3 minutes

Configure Thresholds

Protect your website URLs or API endpoints from suspicious requests that exceed defined thresholds. Granular configuration options including request limits, requests methods, and more.

Define Responses

Website and API visitors hitting defined request thresholds can trigger custom responses, such as mitigating actions (challenges or CAPTCHAS), response codes (Error 401 - Unauthorized), timeouts, and blocking.

Analytical Insight

Gain deep insights into traffic patterns to help scale and protect your resources. See how much malicious traffic is blocked by rule, how many requests make it to your origin, and more.

Only Pay for Good Traffic. Not Bad.

Cloudflare Rate Limiting can be activated for free. Self-serve plans include 10,000 free requests per month and Enterprise plans allow for unlimited rate limiting. We only charge for good traffic passing through the rate limited endpoints of your website or API. Good traffic means requests that do not exceed your rate limited thresholds.

Requests per IP address matching the traffic pattern.

Rate limiting graph

Already a Cloudflare customer? Activate Rate Limiting

Cloudflare Features

Cloudflare's Performance and Security Services work in conjunction to reduce latency of web sites, mobile applications, and APIs end-to-end, while protecting against DDoS attack, abusive bots, and data breach.


Cloudflare Performance Services improve conversions, reduce churn, and improve visitor experiences by accelerating web and mobile performance, while keeping applications available.

  • Content Delivery Network (CDN)

    With 151 data centers across 58 countries, Cloudflare’s Anycast CDN caches static content at the edge, reducing latency by delivering assets as close as geographically possible to visitors.
  • Website Optimizations

    Cloudflare includes a suite of web optimizations to improve the performance of Internet assets. Optimizations include the latest web standards, such as HTTP/2 and TLS 1.3, as well as proprietary enhancements for images and mobile device visitors.
  • DNS

    Cloudflare is the fastest managed DNS provider in the world, routing over 38% of all global DNS traffic. Cloudflare has multiple ways to achieve maximum performance for online assets.
  • Load Balancing

    Cloudflare Load Balancing provides load balancing, geo-steering, monitoring and failover for single, hybrid-cloud, and multi-cloud environments, enhancing performance and availability.
  • Argo Smart Routing

    Argo Smart Routing improves Internet asset performance on average of 35% by routing visitors through the least congested and most reliable paths on Cloudflare's private network.
  • Railgun

    Railgun compresses previously uncacheable web objects up to 99.6% by leveraging techniques similar to those used in the compression of high-quality video. This results in an average 200% additional performance increase.
  • Stream

    Cloudflare Stream makes streaming video easy by handling data storage, media encoding, content embedding and playing, regional delivery, and analytics.


Cloudflare Security Services reduce the risk of lost customers, declining revenues, and degraded brand by protecting against DDoS attacks, abusive bots, and data breach.

  • Anycast Network

    With 151 data centers across 58 countries and 15 Tbps of capacity, Cloudflare’s Anycast network absorbs distributed attack traffic by dispersing it geographically, while keeping Internet properties available and performant.

    DNSSEC is the Internet’s non-spoofable caller ID. It guarantees a web application’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden “man-in-the-middle” attacker.
  • Web Application Firewall (WAF)

    Cloudflare’s enterprise-grade web application firewall (WAF) detects and block common application layer vulnerabilities at the network edge, utilising the OWASP Top 10, application-specific and custom rulesets.
  • Rate Limiting

    Rate Limiting protects critical resources by providing fine-grained control to block or qualify visitors with suspicious request rates.
  • SSL / TLS

    Transport Security Layer (TLS) encryption enables HTTPS connections between visitors and origin server(s), preventing man-in-the-middle attacks, packet sniffing, the display of web browser trust warnings, and more.
  • Secure Registrar

    Cloudflare is an ICANN accredited registrar, protecting organizations from domain hijacking with high-touch, online and offline verification for any changes to a registrar account.
  • Orbit

    Cloudflare Orbit solves security-related issues for Internet of Things devices at the network level.
  • Argo Tunnel

    Cloudflare creates an encrypted tunnel between its nearest data center and an application’s origin server without opening a public inbound port.
  • Workers

    Cloudflare Workers let developers run JavaScript Service Workers in Cloudflare's 151 data centers around the world.
  • Access

    Secure, authenticate, and monitor user access to any domain, application, or path on Cloudflare.
  • Spectrum

    Spectrum protects TCP applications and ports from volumetric DDoS attacks and data theft by proxying non-web traffic through Cloudflare’s Anycast network.

New Products Overview: Use Cases and Demos

Presented by: Jon Burling, Brian Mgrdichian, & Nick McGourty

Date/Time: Thursday, April 26th @ 11AM PT