Rate limiting rules - what if I'll need more than 10?


What do I do if I need to block more than 10 urls, and I can’t use wildcards to catch some of them together without catching more urls which should not be limited?

  1. Is it possible to use multiple url patterns in a single rule?
  2. Is it possible to purchase more rules?

I had an idea to make all urls that need to be rateLimited end with /rateLimited so that the version without /rateLimited in the end will be protected with a password, and then I could change all consumers (which don’t know the password) to use the rateLimited version.

Will a wildcard of *.my.domain/*/rateLimited should work?

If so, it will also give me the ability of a bypass rate limiting with a password without an enterprise account.

Would love to get feedback on this or possibly additional solutions.

Thanks in advance,


Hm, you would need to create more Rate Limiting Rules, specified for each URL?

There are more Rate Limiting Rules available depending on the Cloudflare Package for the domain.
See here:


There is a way to configure the Bypass option (Enterprise plans only) for multiple URLs:


May I ask do you combine Firewall rules for these URLs you need?
For example, adding a captcha/challenge for them or disallowing some countries to request/access them?

In that case, can you configure, if applicable, 401 authorization with a username and password at your origin/host for that URLs?

1 Like

Thanks for the reply @fritex,

I’m not sure I understood the question. My intention was to add credentials to the not rate limited version, but keep the rate limited version available without the password.

The question is if my idea for the wild card as mentioned will work on multiple domains and urls as long as the url end with /rateLimited.

This topic was automatically closed after 30 days. New replies are no longer allowed.