Rate Limiting

Protect your APIs from abuse and your origin from being overwhelmed

Cloudflare Rate Limiting allows you to define granular thresholds for requests to your application and automatically block or log clients that exceed those limits.
Start building for free View docs
Performance and Accuracy at Scale

Our rate limiting happens at Cloudflare's edge, across 330+ cities. We can block excessive traffic before it ever touches your origin server, saving you bandwidth and compute resources.

Rich, Flexible Rules Engine

Define limits based on a wide range of characteristics beyond just IP address, such as specific HTTP headers, query parameters, or even the result of a WAF check.

Cost-Effectiveness

Simple, predictable pricing that is often far lower than a DIY solution, especially when factoring in your saved origin costs.

Edge-based traffic control and abuse prevention

Rate Limiting protects your applications and APIs from abuse, downtime, and cost overruns caused by excessive request rates from malicious bots or misbehaving clients. It gives you precise control over your application's traffic, allowing you to protect your origin servers, ensure availability for legitimate users, and prevent unexpected infrastructure costs.

Background Pattern
Rate Limiting

Perfect for Traffic Control

You can use Rate Limiting to:

View docs

Login Endpoint Protection

Protecting login endpoints from password-spraying and brute-force attacks.

API Cost Control

Cost control for expensive API calls.

Session-Based API Defense

Protecting APIs by tracking usage based on session identifiers found in HTTP headers or cookies, neutralizing distributed botnets.

Distributed Attack Mitigation

Our distributed counting is highly accurate, preventing the race conditions that can occur with self-managed, multi-region solutions.

Powerful primitives, seamlessly integrated

Built on systems powering 20% of the Internet, Rate Limiting runs on the same infrastructure Cloudflare uses to build Cloudflare. Enterprise-grade reliability, security, and performance are standard.

Compute

Workers

Global serverless functions

Containers

Any language, anywhere

Durable Objects

Stateful compute

Browser Rendering

Automated browsers

Workflows

Process orchestration

Storage

R2

Egress-free storage

Hyperdrive

Global databases

D1

Serverless SQL

KV

Key-value speed

Queues

Message processing

AI

Workers AI

Edge AI models

AI Gateway

AI observability

Vectorize

Vector database

AI Search

Instant retrieval

Media

Images

Image optimization

Stream

Video streaming

RealtimeKit

Live comms

TURN / SFU

Real-time infra

Network

DNS

CDN

WAF

Load Balancing

Rate Limiting

Bot Mitigation

Build without boundaries

Join thousands of developers who've eliminated infrastructure complexity and deployed globally with Cloudflare. Start building for free — no credit card required.

Start building for free View docs