Create ratelimit payload not working

I want to create a ratelimit WAF Rate limiting rules. The documentation gave me the needed parameters, so my current payload looks like this:

        description: "<description>",
        name: "<name>",
        kind: "zone",
        phase: "http_ratelimit",
        rules: [{
            expression: "<expression>",
            //enabled: true,
            action: "block"
        characteristics: ["ip.src"],
        requests_per_period: 75,
        period: 10,
        mitigation_timeout: 10

the response I’m getting is:

  "result": null,
  "success": false,
  "errors": [
      "message": "invalid JSON: unknown field \"characteristics\""
  "messages": null

but when I remove the “characteristics” I get the same for “requests_per_period” and so on for “period” and “mitigation_timeout”.

Anyone know how I have to format the payload? The URL I’m requesting is see here

Also is “enabled” in the rule allowed? Since I couldn’t fine if it is or not, I only know that for “http_request_firewall_custom” it is allowed, so I assumed it is too for the rate limiting.

Thanks for any help.

That just doesn’t look like the right payload. I suggest you start with this template:—rate-limiting-based-on-request-properties

Or maybe mine just isn’t the right API call for what you’re trying. But it does look like the most direct approach.

but I first need to create a ruleset, in order to get the suleset id, or is there by default an rate limiting ruleset.

I’m trying to create a rule here

Security → WAF → Rate Limiting Rules

I was able to get this payload to work:

  "description": "Rate Limit Them Pests",
  "kind": "zone",
  "name": "Rate Limiter",
  "phase": "http_ratelimit",
  "rules": [
   "description": "My rate limiting rule",
  "expression": "(http.request.uri.path matches \"^/api/\")",
  "action": "block",
  "action_parameters": {
    "response": {
      "status_code": 403,
      "content": "You have been rate limited.",
      "content_type": "text/plain"
  "ratelimit": {
    "characteristics": [
    "period": 60,
    "requests_per_period": 100,
    "mitigation_timeout": 600

Alright, after some try and error, I found how to do it, by combining the invoking of a new rule in a rule set, and creating a new ruleset with the rules for rate limiting.

For anyone having issue finding out how to achieve this:

This is the body with short description:

        description: "<ruleset description>",
        name: "<ruleset name>",
        kind: "<kind>",  //eg "zone"
        phase: "http_ratelimit",
        rules: [{
            expression: "<normal expression when to trigger>",
            action: "<action>", //eg "block"
            enabled: true,  //false for disabling
            description: "<rule description>",
                characteristics: [<defining how cf tracks the request rate (string)>],  //cf forced me to add ""
                requests_per_period: <how many requests until rule executes>,
                period: <seconds for each period (see plan for allowed values)>,
                mitigation_timeout: <seconds how long the rule will be apllied on next requests>

The endpoint you want to reach is:<zoneId>/rulesets.

For more parameter and a more detailed description of the parameter refer to their documentation

Really appreciate your work, actually I just found it out myself, and wrote my own reply in case someone else need it in the future. But imo, your example is better, so thanks.

1 Like

Yours is clean and to the point. It looks like a better template for anybody who wants to give it a shot.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.