No results found

No results found

Cloudflare Rate Limiting

Cloudflare's Rate Limiting improves the availability and security of your online assets, such as websites or APIs, by providing extra protection against Layer 7 Denial of Service (DoS) attacks. Layer 7 DoS attacks send high volumes of HTTP requests designed to harm your application. Most of these attacks attempt to make your website or API inaccessible to legitimate users. Some attacks, such as brute-force, try to break through your login page by submitting credential combinations in high frequencies until they crack a legitimate password.

Bad actors continue to make their attacks appear more like legitimate traffic, making it increasingly difficult to block malicious requests without hurting real users. Rate Limiting gives you granular controls to detect bad traffic, customized rulesets to ensure that your legitimate visitors are not impacted, and insights to improve your security posture as attackers evolve.

Sign Up for Early Access

Fill out my online form.

Login Protection

Rate Limiting shapes how Internet traffic interacts with your application. Prevent brute force password cracking by setting a request threshold across login access points on your website or application. Suspicious IP addresses which trigger detection can be mitigated differently, based on threat level, to help ensure that legitimate users aren’t banned. As a result, real users can continue to login to your applications while truly bad traffic is stopped without consuming backend resources.

API Protection

Stop abusive traffic targeting your APIs by creating sophisticated detection rules, such as flexible rate limiting thresholds, URI wildcards, and detection criteria based on authentication tokens and origin response. Custom error responses let you provide actionable information for legitimate clients to successfully reach your APIs. Rulesets take less than a minute to replicate throughout our global network.

Rate Limiting mitigates requests that exceed a specified threshold. Mitigation actions can be as benign as logging a request, to presenting visitors a CAPTCHA, or completely blocking any future requests from the source.

Site-Wide Protection

For site-wide rate limiting, Rate Limiting lets you configure a maximum number of requests per second across your entire website. Both your domain and subdomains are protected from volumetric requests coming from all IP addresses. Setting request thresholds using Rate Limiting, which matches the capacities of your origin server, provides additional protection against attacks, which can bring down your application, website, or API.

Insights

Rate Limiting insights provide information into the type of traffic being mitigated so you can fine-tune your security posture while ensuring availability to legitimate users. Rate Limiting insights tells you which parts of your applications, clients, and geographies are mitigated the most, so you can continue to respond to evolving bad actors and their threats.

Additional Benefits

Native CDN Integration

All traffic is routed through our next generation, global Content Delivery Network (CDN). Our platform was designed and built from the ground up to integrate emerging technologies to ensure our customers support the most advanced protocols on the web; today and tomorrow.

Learn More

Layered Security

Our robust suite of security services include DDoS protection, a web application firewall (WAF), cutting edge encryption features, DNSSEC, and much more. Cloudflare operates at the edge of the network, making it possible to identify and mitigate threats before they ever reach your origin.

Learn More

Innovative Technology

Cloudflare offers detailed insights, WebSockets support, HTTP/2 and Server Push, IPv6 compatibility, mobile image acceleration, content scraping prevention features, and much more. Cloudflare is backed by global technology powerhouses, including Microsoft, Google, Baidu and Qualcomm.

Learn More

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /month per website
Select
Expand to see more
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Limited DDoS protection
  • Global CDN
  • Shared SSL certificate
  • 3 page rules
Compare all features
PRO $ 20 /month per website
Select
Expand to see more
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes all of these features:
  • Basic web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • 20 page rules
Compare all features
BUSINESS $ 200 /month per website
Select
Expand to see more
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

The Business Plan includes all of these features:
  • Advanced DDoS protection
  • Advanced web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to TLS 1.2 only mode and WAF
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized support
  • 50 page rules
Compare all features
Enterprise contact us
Select
Expand to see more
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

The Enterprise Plan includes all of these features:
  • 24/7/365 enterprise-grade phone and email support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Advanced DDoS protection with prioritized IP ranges
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to raw logs
  • Dedicated solution and customer success engineers
  • Access to China CDN points of presence (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

Add a Website

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

Get Pro
MOST POPULAR

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized support.

Learn More

Get Business

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, 24/7/365 emergency support, and guaranteed uptime across one or more Internet assets.

Learn More

Get in touch

Trusted By

Read some of our case studies

Rate Limiting in Action

This interactive demo provides three different examples of how rate limiting protects your endpoints from suspicious requests.

  • Brute Force Login Protection

  • API Abuse Protection

  • High Precision DoS Protection

Demo: Brute Force Login Protection

Attempt to Login 3 Times Under 1 Minute

This example demonstrates the ability to limit the number of login attempts. Visitors get 3 login attempts per minute. If they exceed this threshold, the will be denied the ability to login for 5 minutes.

Login

Demo: API Abuse Protection

Click Run to initiate API scrapper

This example shows simulates a content scrapper programmatically hammering an API. With Rate Limiting, we mitigate API service degradation by limiting 10 requests to our endpoint before serving a custom JSON response

curl -X GET "https://api.cloudflare.com/client/v4/zones/cd7d0123e3012345da9420df9514dad0"
Demo: High Precision DOS Protection

Refresh the content 5 times in under 1 minute

This example shows how a denial-of-service attack attempts to disrupt the service. By restricting the number of requests made to a specific resource to 5 requests, even the most sophisticated distributed denial-of-service attacks can be mitigated.

Refreshing... Content loaded successfully. Try refreshing again Request blocked. Try again in 3 minutes