Regex on rate limit


I’m surprised there is no way for us to rate limit only dynamic files (ie: eveyrything that is not .js , css … )
It would help a lot specially against attacks that target multiple paths of the website.

Regex is computationally expensive. I can’t think of a reason a legitimate user would hammer away at anything. Static files should be cached in the browser, so those shouldn’t trigger rate limiting.

You are absolutely right about regex being expensive. What I wanted to say is that, rate limit should not be considered at all on static files.
If our site has many resources and they are queried by a new visitor when we are facing an attack, chances are legitimate users are flawed by it, this discourages us from making “global” rules and have to be looking after newer attacks and see which url the attackers are aiming at that specific moment.

This is making me wonder if Rate Limiting applies to cached content. If someone wants to attack Cloudflare’s cache, it certainly won’t impact my site.

Edit: It may not occur, the machine I used to test is on permanent challenge due to the hosting asn being problematic.
I will be testing it, but what I think happens is that, static files that are not cached on Cloudflare actually suffer from that “issue”.

My point is that, even if the attacker was aiming at a static file, chances of our (and most) servers going down are very unlikely, what causes outages is the dynamic generation of the pages.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.