Is Rate Limiting Always Custom Coded?

I’m getting close to launching an app… it’s more or less my first real app. I’ve done some small ones but this one is legit.

I always freak out when I launch an app…

  • I don’t want my api to be attacked somehow
  • I don’t want some code error I made to make tens of thousands of requests by accident.
  • I don’t want to do something dumb and rack up a huge bill

I am tested my app and my Workers and everything at least so far seems to work really well.

I was thinking or building a rate limit so any ip could only make so many requests per day or something like that.

I’m never done rate limited before. I know Cloudflare has their built in abuse detection.

But are most rate limiting solutions for hitting api endpoints custom coded?

I don’t see it being very hard… Durable Objects would be perfect for this… but just wanted to get any insight.


I suspect you might be interested in this.

Generally speaking, the only real ways to stop API attacks are Rate limit, ML, and finger printing legitimate requests, rejecting the rest.

I don’t follow on this one.

You need to be careful and keep an eye on the usage, however, rate limit is in general rather cheap.


I do know of the new API Gateway. I will have to look into it more. Is it ready for production?

When I said… I don’t want some code error to make tens of thousands of requests by accident. I mean I don’t want bad code I may have written to cause a request loop.

I’ve done this in development before… a couple times. And of course I test for this and make sure it won’t happen. But mistakes do happen… it’s life.

I guess what I’m asking is… is there a way to shut down a service or Worker if you need to?

I’ve seen the advanced rate limiting… and while I have not deeply looked into it… I thought it only works if you host your app on Cloudflare.

I am only using Workers… KV… and Durable Objects for my API and persistent storage. I was planning on hosting on Vercel since my app is written in NextJS.

Thanks for your answers and help!

You either block the path with a firewall rule or remove the route from worker itself :slight_smile:

It needs to be proxied, of course. But the origin can be anything.

Is there any documentation for this?

I don’t see what documentation I can provide here… it’s the basics of how all Cloudflare services work.