We’re currently experiencing an ongoing credential stuffing attack which is being mitigated pretty well with a rate limit rule on our login path. However, I’d like this rule to only consider POST requests to our login path as this is adversely affecting legitimate traffic as the (not so) occasional legitimate incorrect password login attempts causes 3 times as many requests to that path as the illegitimate traffic:
GET to login, form rendered
POST to login, login attempted, fails, server redirect to login path with error message
GET to login
I don’t see a way in the rate limit UI to limit the rule to just POST, is there any other way of doing this?
The domain in question is on the Pro plan currently
The protect your logon rule available for free uses POST as a criteria. Otherwise method is a business or ent plan feature.
Cloudflare has just launched Advanced Rate Limiting, but it is only available to the Enterprise Plan at the moment. The Cloudflare blog post does say that:
If you are a Pro or Biz customer, you won’t be able to use Advanced Rate Limiting, but we are planning to give some advantages to Pro and Biz plans as well.
And, further down:
What’s next for Rate Limiting
In the coming months, we are going to collect feedback from our customers to decide what additional features we should include in Advanced Rate Limiting. We have already a few ideas we are exploring, including automatically profiling your traffic and recommending thresholds for your rules.
So you might want to edit your original post to change the category to Feedback > Feature Request, with a tag to WAF, to make it a suggestion to be considered. (Just don’t expect to get an ETA, or even a promise that any requested feature will be available at your plan level, unless of course a Cloudflare staff member steps in to say otherwise.)
You can read the full blog post here.
Meanwhile, if the number of users is small (< 50) you could opt instead for an Access Policy to protect your login page, then removing Rate Limiting for that page. Above 50 users, there’s a monthly charge per user.
Oh, I had totally missed this! That’s exactly what I need.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.