Expression:
(http.request.uri.path eq "/login" and ip.src.country eq "US" and ip.src ne 192.0.0.1)
Rule characteristics:
- Data center ID (included by default when creating the rule in the dashboard)
- IP Address
Rule examples
The examples below include sample rate limiting rule configurations.
The following rate limiting rule performs rate limiting on incoming requests from the US addressed at the login page, except for one allowed IP address.
The following rate limiting rule performs rate limiting on incoming requests with a given base URI path, incrementing on the IP address and the provided API key.
Expression:
(http.request.uri.path contains "/product" and http.request.method eq "POST")
Rule characteristics:
- Data center ID (included by default when creating the rule in the dashboard)
- IP Address
- Header value of >
x-api-key
The following rate limiting rule performs rate limiting on requests targeting multiple URI paths in two hosts, excluding known bots. The request rate is based on IP address and User-Agent values.
Expression:
(http.request.uri.path eq "/store" or http.request.uri.path eq "/prices") and (http.host eq "mystore1.com" or http.host eq "mystore2.com") and not cf.client.bot
Rule characteristics:
- Data center ID (included by default when creating the rule in the dashboard)
- IP Address
- Header value of >
user-agent
The following rate limiting rule performs complexity-based rate limiting. The rule takes into account the my-score HTTP response header provided by the origin server to calculate a total complexity score for the client with the provided API key.
The counter with the total score is updated when there is a match for the rate limiting rule's counting expression (in this case, the same as the rule expression since a counting expression was not provided). When this total score becomes larger than 400 during a period of one minute, any later client requests will be blocked for a period of 10 minutes.
Expression:
(http.request.uri.path wildcard "/graphql/*")
Rule characteristics:
- Data center ID (included by default when creating the rule in the dashboard)
- Header value of >
x-api-key
When rate exceeds: Complexity based
- Score per period:
400 - Period: 1 minute
- Response header name:
my-score
Then take action:
- Choose action: Block
With the following behavior: Block for the selected duration
- Duration: 10 minutes
For an API example with this rule configuration, refer to Create a rate limiting rule via API.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
