How to apply rate limit rule on whole subdomain

May I ask if you’re using a free plan type? :thinking:

You could go with / for path, however that’s not the ideal solution and cannot be accomplished, since it’ll match every request.

You’d have to upgrade to at least Pro plan to have such fields available to you, and even better WAF with Managed Rules and better performance overall.

If I may add here as a really good reference with updated info for further cases in terms of security and protection with Cloudflare from my colleague:

We can lock down our web host and allow only the Cloudflare to connect and similar techniques:

We can use Cloudflare Access / Zero Trust (Teams):

Nevertheless, consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:

Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection: