Rate limitation is a powerful custom rule scope that can limit the number of requests users are allowed to perform against a website or for a specific URL and help gain useful insights into your users’ behavior. This article will show you how to set up and monitor a rate-limiting WAF custom rule.
Creating a Rate Limit Rule
- Log in to the StackPath Control Portal
- Navigate to Sites > Website Domain > EdgeRules. The bottom field is labeled as Request Rate Rules.
- Under the Request Rate Rules, select Add Request Rate Rule
Rule name: Choose a name that will be easy to remember
Number of Requests: The number of requests required for the rule to trigger
Duration: The time interval in which the number of requests are counted
It`s recommended to choose a short time frame like 30 seconds or 60 seconds
Action: The action that will be applied when the rule is met
Path Regex: Leave blank if you want to protect all application pages (or “/”) or select a specific URL (e.g. “/login”) for specific paths.
HTTP Method: By default, the rule will include all HTTP methods, you can also multi-select specific ones if needed
IP Address: By default, the rule will be applied to all IP addresses that use the application, you can set the rule to apply to only specific IP addresses
How to Monitor Rate Limit Rules
When a rate limitation rule is triggered, it will be displayed as part of the Custom Rules data point on the WAF Overview page, under the event management (with the rule name you selected when the rate limitation rule was created).