The Rate Limiting API is deprecated in favor of using the Ruleset Engine. See the deprecation notice for full details. Create a rate limit
Creates a new rate limit for a zone.
const rateLimit = await client.rateLimits.create({
zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
threshold: 60,
period: 60,
action: {
mode: 'challenge',
},
match: {
request: {
url: '*.example.com/path*',
},
},
});
The threshold that triggers the rate limit mitigation. Configure this value along with the period property to establish a threshold per period.
The time in seconds to count matching traffic. If the count exceeds the threshold within this period, Cloudflare performs the configured action.
The action to perform when the threshold is exceeded.The action to perform: simulate, ban, challenge, js_challenge, or managed_challenge
The time in seconds during which Cloudflare will perform the mitigation action. Must be greater than or equal to the period.
Custom response to return when threshold is exceeded.Content type: text/plain, text/xml, or application/json
The response body to return
Determines which traffic the rate limit counts toward the threshold.Request matching criteria.URL pattern to match (e.g., example.org/path*). Use * for wildcards.
HTTP methods to match: GET, POST, PUT, DELETE, PATCH, HEAD, or _ALL_
HTTP schemes to match: HTTP, HTTPS, or _ALL_
Response matching criteria.When true, only uncached traffic served from origin servers counts toward rate limiting.
Array of header matching rules.Operator: eq (equal) or ne (not equal)
The header value to match
An informative summary of the rate limit rule.
When true, the rate limit is currently disabled.
Criteria specifying when the rate limit should be bypassed.Set to url for URL-based bypass
The unique identifier of the rate limit
The time period in seconds
The traffic matching criteria
Whether the rate limit is disabled
List rate limits
Fetches all rate limits for a zone.
for await (const rateLimit of client.rateLimits.list({
zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
})) {
console.log(rateLimit.id);
}
Page number of paginated results
Get a rate limit
Fetches details of a single rate limit.
const rateLimit = await client.rateLimits.get(
'rate_limit_id',
{ zone_id: '023e105f4ecef8ad9ca31a8372d0c353' },
);
The rate limit identifier
Update a rate limit
Updates an existing rate limit.
const rateLimit = await client.rateLimits.edit(
'rate_limit_id',
{
zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
threshold: 100,
period: 60,
action: {
mode: 'ban',
timeout: 300,
},
match: {
request: {
url: '*.example.com/api/*',
},
},
},
);
The rate limit identifier
Delete a rate limit
Deletes an existing rate limit.
await client.rateLimits.delete(
'rate_limit_id',
{ zone_id: '023e105f4ecef8ad9ca31a8372d0c353' },
);
The rate limit identifier
Example: Protect login endpoint
const rateLimit = await client.rateLimits.create({
zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
description: 'Protect login from brute force',
threshold: 5,
period: 60,
action: {
mode: 'challenge',
timeout: 600,
},
match: {
request: {
url: 'example.com/login',
methods: ['POST'],
},
},
});
Example: API rate limiting with custom response
const rateLimit = await client.rateLimits.create({
zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
description: 'API rate limit',
threshold: 1000,
period: 60,
action: {
mode: 'simulate',
response: {
content_type: 'application/json',
body: JSON.stringify({
error: 'Rate limit exceeded',
retry_after: 60,
}),
},
},
match: {
request: {
url: 'api.example.com/*',
},
},
});
Migration to Ruleset Engine
For new implementations, use the Ruleset Engine instead of the deprecated Rate Limiting API. The Ruleset Engine provides more flexible and powerful rate limiting capabilities through custom rules.