Can we run Avanced Rate Limiting with a free CloudFlare license?

Answer these questions to help the Community help you with Security questions.

What is the domain name?
I would rather not answer this question.

Have you searched for an answer?
Yes.

Please share your search results url:

When you tested your domain using the [Cloudflare Diagnostic Center]what were the results?
Diagnostic center does not seem to be working at this time.

Describe the issue you are having:
We want to implement an Advanced Rate Limiting policy to cap a maximum number of connections for a given period of time for several API endpoints in the same URL.
For instance, cap it at 100 request per hour.
My question is, can we do this with our current free license or what is the minimum license we can get to the this accomplished?
What error message or number are you receiving?

What steps have you taken to resolve the issue?

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

Have you tried from another browser and/or incognito mode?

Please attach a screenshot of the error:

It depends on exactly what you are going for. Cloudflare launched unmetered rate limiting, Back in 2017 we gave you Unmetered DDoS Mitigation, here's a birthday gift: Unmetered Rate Limiting, free rate limiting for all customers last year.

Free only gets URI Path (not hostname) and only 10s counting/timeout periods, Pro gets slightly more with more counting/timeout periods, and more fields like hostname. If you need a counting period of one hour, only Enterprise with Adv. Rate Limiting addon gets that. You can find the full list of availability here, Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs

For generic API Rate limiting it works great, you could just add a generic sensible rate limit to your entire api (via hostname/path), and have more specific rules for specific endpoints that should have longer rate limits. You could also go with a more hybrid approach and use CF Rate limiting as a generic global rate limit, and have your application do more specific per API token/per resource rate limits, which Discord does for example.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.