We were exploring the Rate Limiting tools to address certain exploits on our servers. In order to specify the appropriate number, i.e. the request limit and threshold timing, below are a few things that I hope to get some clarifications,
Is there a way to set the request method? Currently, our exploits are mostly on POST request. We would like to apply rate limiting only to those APIs.
Does rate limiting also limit the loading of site assets? For instance, when our site loads, there is about 50 requests for loading various site assets such as CSS, JS, images. Will these requests limited by the Rate Limiting rules? If not, how does CloudFlare differentiate these request vs. those we specified in the Rate Limiting rules? (Assuming that we specified * in the URL.)
We are contemplating Rate Limiting rules of high request limit (10 req per 10 secs) with longer threshold (block 1 day), vs. low request limit (2 req per 10 secs) with shorter threshold (block 1 min). I know there is no best solution, but can anyone share the pros and cons for both and applicable scenario.
Thanks in advanced.