WAF > Rate Limiting

I have a few questions about the Rate Limiting rules:

  1. What’s the best way to set a rule to limit repeated connections on ANY page? I considered this:

(starts_with(http.request.uri.path, "/"))

(which wouldn’t work on the homepage, I guess)

but I’m not sure if this would mean that someone would have an error if they clicked to go to one page and then clicked on a link on that page within 10 seconds?

  1. The only “action” I see is to give them an error if they do that. Is there a way to just throttle them so that the page DOES open, but waits for, say, after 10 seconds? This would be less aggressive towards actual users.

/ is the homepage, so yes it will hit every request on your site so don’t make the number of requests in 10 seconds too tight. It’s more to stop aggressive scans, bots and attacks than set an exact value for people surfing your site.

Rate limiting features are very limited on the free account, features get better the more you pay. Throttling requires an enterprise account…

Do you think that 5 requests in 10 seconds would be too tight?

When I signed on I didn’t realize that this meant “per website”; meaning, each site in my account would have its own paid account. With 100 domains being added, even the $20 plan is cost prohibitive! I couldn’t imagine what the Enterprise account would cost :open_mouth:

Don’t forget, every page, image, javscript file, icon and so on that comes from your site is a request. Depending on your site a single page load could be dozens or hundreds of requests if you use “starts with /” as the rule. Best to use rate limiting on the dynamic non-cached pages to protect your origin, let the Cloudflare cache handle the other stuff.

Enterprise pricing isn’t really per zone, it’s more custom than that. I have an Enterprise account, it has 1 Enterprise zone and ~40 non-enterprise zones. Some enterprise features apply across the account, some partially, and most don’t so look like they would in a free account. When ordering you talk to the CSM about what you want (features, traffic, etc) and a custom price and package is worked out. My extra zones all redirect to the enterprise zone anyway and are just for trademark protection so all the security is applied that way.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.