Control to block suspicious visitors
Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer.
Cloudflare’s 67 Tbps global anycast network is 23x bigger than the largest DDoS attack ever recorded, allowing all internet assets on Cloudflare’s network to withstand even massive DDoS attacks.
Rate Limiting provides the ability to configure thresholds, define responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints. It adds granular HTTP/HTTPS traffic control to complement Cloudflare’s DDoS protection and Web Application Firewall (WAF) solutions. Cloudflare charges based on “good” requests i.e requests that match a rule you have created and are allowed to origin servers. This also reduces bandwidth costs by eliminating unpredictable traffic spikes or attacks.
Start Rate Limiting malicious traffic for free today.
Looking for enterprise-grade solutions? Contact Sales
Layer 7 DDoS Mitigation
High precision distributed denial-of-service protection through granular configuration options.
API Protection
Set API usage limits to ensure availability and protect against abuse.
Brute Force Protection
Protect sensitive customer information against brute force login attacks.
Cost Savings
Avoid unpredictable costs associated with traffic spikes or attacks on auto-scaling resources by only allowing good traffic through.
This interactive demo provides three different scenarios on how to utilize rate limiting to protect your endpoints from suspicious requests. Select one of the demos below to see rate limiting in action.
This example demonstrates the ability to limit the number of login attempts. Visitors get 2 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.
Brute Force Login Protection
API Abuse Protection
High Precision DDoS Protection
Login
Attempting login . . .
You have made too many login attempts. Try again in 5 minutes
Login attempt successful and not blocked. Try again
Sophisticated DDoS attacks are difficult to mitigate because they come from a large number of unique IP addresses and mimic legitimate traffic. The demo below uses Rate Limiting to allow up to 2 requests per minute before blocking a potential DDoS attack.
curl -X GET "https://api.cloudflare.com/client/v4/zones/cd7d0123e3012345da9420df9514dad0"
Protect your website URLs or API endpoints from suspicious requests that exceed defined thresholds. Granular configuration options including request limits, requests methods, and more.
Website and API visitors hitting defined request thresholds can trigger custom responses, such as mitigating actions (challenges or CAPTCHAS), response codes (Error 401 - Unauthorized), timeouts, and blocking.
Gain deep insights into traffic patterns to help scale and protect your resources. See how much malicious traffic is blocked by rule, how many requests make it to your origin, and more.
Cloudflare Rate Limiting can be activated for free. Self-serve plans include 10,000 free requests per month and Enterprise plans allow for unlimited rate limiting. We only charge for good traffic passing through the rate limited endpoints of your website or API. Good traffic means requests that do not exceed your rate limited thresholds.
Cloudflare's Performance and Security Services work in conjunction to reduce latency of websites, mobile applications, and APIs end-to-end, while protecting against DDoS attack, abusive bots, and data breach.
Cloudflare Performance Services improve conversions, reduce churn, and improve visitor experiences by accelerating web and mobile performance, while keeping applications available.
Cloudflare Security Services reduce the risk of lost customers, declining revenues, and degraded brand by protecting against DDoS attacks, abusive bots, and data breach.
Cloudflare Rate Limiting
In submitting this form, you agree to receive information from Cloudflare related to our products, events, and special offers. You can unsubscribe from such messages at any time. We never sell your data, and we value your privacy choices. Please see our Privacy Policy for information.
To provide you with the best possible experience on our website, we may use cookies, as described here.By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.