Articles

Rate Limiting with Cloudflare Rules: WAF and Quota (2026)

April 18, 2026 3 min read

Cloudflare’s rate limiting rules, particularly when combined with WAF and Quota, aren’t just about blocking traffic; they’re about shaping it to protect your origin and ensure fair usage for all your users.

Let’s see this in action. Imagine a common scenario: a surge of automated requests hitting your API endpoint, overwhelming your backend.

{
  "url": "/api/v1/users",
  "method": "POST",
  "headers": {
    "User-Agent": "MyAwesomeClient/1.0",
    "Content-Type": "application/json"
  },
  "body": {
    "username": "testuser",
    "password": "password123"
  }
}

Without proper rate limiting, thousands of these could hit simultaneously. With a Cloudflare rate limiting rule, we can define a threshold.

Here’s a simplified look at how a Cloudflare Rate Limiting rule might be configured in their dashboard or via API:

  • Rule Name: API User Creation Limit
  • Description: Limit POST requests to /api/v1/users to 100 per minute.
  • Match Criteria:
    • URI path equals /api/v1/users
    • HTTP method equals POST
  • Rate Limiting Criteria:
    • Requests per 1 minute is greater than 100
  • Action: Block with 429 Too Many Requests response.

This rule means that if more than 100 POST requests to /api/v1/users originate from the same IP address within a 60-second window, Cloudflare will intercept subsequent requests and return a 429 Too Many Requests error, preventing them from ever reaching your origin server.

The "Quota" aspect comes into play when you want to enforce limits not just on a per-request basis but over longer periods or across different dimensions. For instance, you might want to limit a specific user ID (if you can identify it via a header or cookie) to a certain number of API calls per day, regardless of their IP address. This requires a more sophisticated setup, often involving custom WAF rules that extract user identifiers and then apply a "quota" mechanism.

The core problem Cloudflare’s rate limiting solves is resource exhaustion. Whether it’s your web server’s CPU, memory, database connections, or even third-party API rate limits you depend on, excessive traffic can bring your application to its knees. Rate limiting acts as a shock absorber, smoothing out traffic spikes and protecting these critical resources.

Internally, Cloudflare maintains counters for each unique identifier (like IP address, or a custom identifier you define) against your configured rate limiting rules. When a request matches a rule’s criteria, Cloudflare increments the counter for that identifier. If the counter exceeds the defined threshold within the specified time window, the action (e.g., Block) is triggered.

The key levers you control are:

  1. Match Criteria: What traffic does this rule apply to? (e.g., specific URLs, methods, headers, country codes).
  2. Rate Limiting Criteria: How many requests trigger the limit? (e.g., 100 requests, 1000 requests).
  3. Time Window: Over what period is the count measured? (e.g., 1 minute, 10 minutes, 1 hour).
  4. Action: What happens when the limit is hit? (e.g., Block, Managed Challenge, Log).
  5. Counting Expression (for Quotas/Advanced): How do we identify unique entities to rate limit? This is where you might use cf.unique_visitor_id, specific headers like X-User-ID, or even cookies.

When using WAF Custom Rules to implement more granular quotas, you can use the cf.ratelimit.<rule_id>.count expression. This allows you to increment a specific counter associated with a WAF rule, which you can then reference in a separate rate-limiting rule or use to trigger actions directly. For example, a WAF rule might extract a session_id from a cookie and then increment a counter associated with that session_id.

A common pitfall is forgetting to account for legitimate, high-traffic user actions. If you set a rate limit too low, you might inadvertently block your own users during peak times or when they perform expected bulk operations. Always test your rate limiting rules with representative traffic patterns and consider implementing Managed Challenge or Log actions initially before switching to Block.

The next step after mastering basic rate limiting is understanding how to combine it with other Cloudflare features, like Bot Management, to differentiate between human users and automated threats.

Want structured learning?

Take the full Rate-limiting course →