Ratelimit not resetting

I have developed a PHP, JS, and HTML (Rendered in PHP) website that is routed through a reverse proxy to ensure CORS compliance. This setup uses Cloudflare’s GraphQL API to allow internal team members to look up RAY-IDs for compliance, specifically when users are blocked via Cloudflare’s Layer 7 (WAF) security rules. The purpose of this tool is to help the team determine whether a block was intentional or due to a security policy.

I was able to retrieve information for a specific RAY-ID using a curl command but am currently encountering rate-limiting issues.

Below is the reverse proxy configuration I am using for accessing Cloudflare’s API:

# Reverse Proxy Configuration for Cloudflare API
location /api/ {
    proxy_pass https://api.cloudflare.com/client/v4/graphql;
    proxy_set_header Host api.cloudflare.com;
    proxy_set_header Authorization "Bearer VALID-API-ID";
    proxy_set_header Content-Type application/json;
    proxy_set_header Accept application/json;

    # CORS headers
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
    add_header Access-Control-Allow-Headers "Authorization, Content-Type";

    # Preflight OPTIONS requests
    if ($request_method = OPTIONS) {
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
        add_header Access-Control-Allow-Headers "Authorization, Content-Type";
        return 204;
    }
}

Hello,

Cloudflare GraphQL API limits the number of GraphQL requests each user can send. The default quota is 300 GraphQL queries over 5-minute window. It allows a user to run at least 1 query every second or do a burst of 300 queries and then wait 5 minutes before issuing another query.

That rate limit is applied in addition to the general rate limits enforced by the Cloudflare API.

Once the authorization token used to connect to the API triggers the rate limit, you need to wait for it to cool down for 5 minutes.

I’ve waited days; however the RL is persistent and isn’t gone. No query’s have been ran.

This topic was automatically closed after 15 days. New replies are no longer allowed.