securitycloudflarerate-limitingwebsecurity

Counter for Rate Limit on Cloudflare for Different Endpoints in Request Traffic


I have 3 API endpoints which need same rate-limiting on Cloudflare. So, I have clubbed them together.

The rule goes like this:

If incoming requests match:

Host = "https://www.x.com" AND URI Path = "/a"
OR
Host = "https://www.x.com" AND URI Path = "/b"
OR
Host = "https://www.x.com" AND URI Path = "/c"

(Notice the usage of AND and OR operators above)

with the same characteristics:

Header value of identifier

When rate exceeds:

10 requests in 1 minute

Then take action:

Block requests for 1 day

What happens out of the following:


Solution

  • Are individual counter buckets created for paths a, b & c?

    So, only when a user makes 10 requests for path a (or 10 requests for path b or 10 requests for path c) within a minute, the user gets blocked for a day.

    No, bucket only counts on Header value of identifier in this case.

    You need to set AND Path condition additionally

    enter image description here

    Is a common counter bucket created for all paths a, b & c combined together?

    So, if a user makes 7 requests for path a and 3 requests for path c within a minute, the user gets blocked for a day.

    Yes. If you want to separate bucket for each path, you will have to do the thing above.

    See this documentation in detail

    https://developers.cloudflare.com/waf/rate-limiting-rules/request-rate/

    a