Cloudflare Docs
WAF
Visit WAF on GitHub
Set theme to dark (⇧+D)

Create rate limiting rules via API

Use the Rulesets API to create a rate limiting rule via API.

A rate limiting rule is similar to a regular rule handled by the Ruleset Engine, but contains an additional ratelimit object with the rate limiting configuration. Refer to Rate limiting parameters for more information on this field and its parameters.

You must deploy rate limiting rules to the http_ratelimit phase entry point ruleset.

Rate limiting rules must appear at the end of the rules list.

​​ Create a rate limiting rule

To create a rate limiting rule for a zone, add a rule with a ratelimit object to the http_ratelimit phase entry point ruleset.

  1. Invoke the List zone rulesets method to obtain the list of rulesets in your zone. You will need the zone ID for this operation.

  2. Search for an entry point ruleset for the http_ratelimit phase in the response. Such a ruleset would have the following properties: "kind": "zone" and "phase": "http_ratelimit". If you find the ruleset, take note of its ID for the next step.

  3. If the entry point ruleset already exists, invoke the Create a zone ruleset rule operation to add a rate limiting rule to the existing ruleset. By default, the rule will be added at the end of the list of rules already in the ruleset. Refer to the examples below for details.

    If the entry point ruleset does not exist, invoke the Create a zone ruleset operation to create the entry point ruleset with the new rate limiting rule. Refer to Create ruleset for an example.

​​ Example A - Rate limiting based on request properties

This example adds a rate limiting rule to the http_ratelimit phase entry point ruleset for the zone with ID {zone_id}. The phase entry point ruleset already exists, with ID {ruleset_id}.


curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"description": "My rate limiting rule",
"expression": "(http.request.uri.path matches \"^/api/\")",
"action": "block",
"ratelimit": {
"characteristics": [
"cf.colo.id",
"ip.src",
"http.request.headers[\"x-api-key\"]"
],
"period": 60,
"requests_per_period": 100,
"mitigation_timeout": 600
}
}'

To define a specific position for the new rule, include a position object in the request body according to the guidelines in Change the order of a rule in a ruleset.

For instructions on creating an entry point ruleset and defining its rules using a single API call, refer to Add rules to phase entry point rulesets.

​​ Example B - Rate limiting with a custom response

This example adds a rate limiting rule to the http_ratelimit phase entry point ruleset for the zone with ID {zone_id}. The phase entry point ruleset already exists, with ID {ruleset_id}.

The new rule defines a custom response for requests blocked due to rate limiting.


curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"description": "My rate limiting rule",
"expression": "(http.request.uri.path matches \"^/api/\")",
"action": "block",
"action_parameters": {
"response": {
"status_code": 403,
"content": "You have been rate limited.",
"content_type": "text/plain"
}
},
"ratelimit": {
"characteristics": [
"cf.colo.id",
"ip.src",
"http.request.headers[\"x-api-key\"]"
],
"period": 60,
"requests_per_period": 100,
"mitigation_timeout": 600
}
}'

To define a specific position for the new rule, include a position object in the request body according to the guidelines in Change the order of a rule in a ruleset.

For instructions on creating an entry point ruleset and defining its rules using a single API call, refer to Add rules to phase entry point rulesets.

​​ Example C - Rate limiting ignoring cached assets

This example adds a rate limiting rule to the http_ratelimit phase entry point ruleset for the zone with ID {zone_id}. The phase entry point ruleset already exists, with ID {ruleset_id}.

The new rule does not consider requests for cached assets when calculating the rate.


curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"description": "My rate limiting rule",
"expression": "(http.request.uri.path matches \"^/api/\")",
"action": "block",
"ratelimit": {
"characteristics": [
"cf.colo.id",
"ip.src",
"http.request.headers[\"x-api-key\"]"
],
"period": 60,
"requests_per_period": 100,
"mitigation_timeout": 600,
"requests_to_origin": true
}
}'

To define a specific position for the new rule, include a position object in the request body according to the guidelines in Change the order of a rule in a ruleset.

For instructions on creating an entry point ruleset and defining its rules using a single API call, refer to Add rules to phase entry point rulesets.

​​ Example D - Complexity-based rate limiting rule

This example adds a rate limiting rule to the http_ratelimit phase entry point ruleset for the zone with ID {zone_id}. The phase entry point ruleset already exists, with ID {ruleset_id}.

The new rule is a complexity-based rate limiting rule that takes the my-score HTTP response header into account to calculate a total complexity score for the client. The counter with the total score is updated when there is a match for the rate limiting rule’s counting expression (in this case, the same as the rule expression). When this total score becomes larger than 400 during a 60-second period, any later client requests will be blocked for a period of 600 seconds (10 minutes).


curl https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/{ruleset_id}/rules \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '{
"description": "My complexity-based rate limiting rule",
"expression": "http.request.uri.path matches \"^/graphql/\"",
"action": "block",
"ratelimit": {
"characteristics": [
"cf.colo.id",
"http.request.headers[\"x-api-key\"]"
],
"period": 60,
"score_per_period": 400,
"score_response_header_name": "my-score",
"mitigation_timeout": 600,
"counting_expression": ""
}
}'

To define a specific position for the new rule, include a position object in the request body according to the guidelines in Change the order of a rule in a ruleset.

For instructions on creating an entry point ruleset and defining its rules using a single API call, refer to Add rules to phase entry point rulesets.