We’ve got a rate limiting rule set up to prevent automated signups to our webapp.
It’s set to 5 requests per 10 seconds, block for a day on a specific endpoint (it was set to an hour, I’ve just updated it to a day).
Today someone managed to get through this and the rate limiting only triggered 727 times whereas the total traffic was >250k requests.
All from one IP - once we blocked the IP in the firewall the traffic stopped but the whole point of the rate limit rule is to do this for us based on the rule.
Are there any common failure points or things I need to consider when setting this up to make sure it works properly? In my limited testing it’s working, but it’s obviously failing at some point.
It’s a Cloudflare Business account.
Any help appreciated,