Rate Limit Page Not Displaying (Block or Challenge)

Context: Created a custom rate-limiting rule using CloudFlare’s Challenge page.

What I expected to happen: CloudFlare’s challenge page to display in the browser.

What actually happened: When I tested the rule I see the rate-limit trigger in the CloudFlare’s metrics and in the browser’s network tab I received a 429 status code with the Challenge page as a response. Are there additional steps that need to be taken to have the Challenge page display? I thought it is automatically served by Cloudflare.

Steps taken to fix it: Tried using Block instead of Challenge, spoke to support, and looked through documentation.

I’m unsure what the issue is? It was set to challenge and you said you got a 429 status code with the challenge page as a response.

Was this perhaps for an asset where a challenge response doesn’t make sense (e.g. a css or jpg file)?

Challenge works well for www.example.com/login not so well for assets where the browser can’t discern intent/would be unlikely to override the request in a way that could render meaningfully to an end user.

This challenge is for a POST request. I assumed that if they trigger the rate limit the 429 error page would be shown.

So if the IP address does the POST 5 times in a minute -> display Challenge page.

Would we need to come up with our own solution to render the 429 response (the challenge page)?

Oh…no… that’s not gonna work at all. A post request is an atomic action, the browser is neither looking for, nor willing to accept any nonsense.

In theory you could write a worker to temporarily write that post data somewhere… return a response and <something something> with the original data if they did < other something something>.

Typically posts is credential stuffing related I would suggest setting a low threshold for first penalty (block for a minute) and a higher penalty if they exceed next threshold in time period.

If it’s a mobile app and you have a plan supporting it, I’d send a json response so the app can set a timer to know how long it’s been locked out and not display a live ‘submit’ button again until they have cleared the penalty phase.


Oh I see. Well at least the 429s still occur. So that might be a good enough solution for now.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.