Rate limitation is a powerful custom rule scope that can limit the number of requests users are allowed to perform against a website or for a specific URL and help gain useful insights into your users’ behavior. This article will show you how to set up and monitor a rate-limiting WAF custom rule.
Creating a Rate Limit Rule
- Log in to the StackPath Control Portal
- Go to the WAF section, select a WAF site you would like to edit, and select Custom Rules
- Under the Request Rate Rules, select the Request Rate Rule
Rule name: Choose a name that will be easy to remember
Number of Requests: The number of requests required for the rule to trigger
Duration: The time interval in which the number of requests are counted
It`s recommended to choose a short time frame like 30 seconds or 60 seconds
Action: The action that will be applied when the rule is met
Path: Leave blank if you want to protect all application pages (or “/”) or select a specific URL (e.g. “/login”) for specific paths, Regex is also supported for more complex needs
HTTP Method: By default, the rule will include all HTTP methods, you can also multi-select specific ones if needed
IP Address: By default, the rule will be applied to all IP addresses that use the application, you can set the rule to apply to only specific IP addresses
How to Monitor Rate Limit Rules
When a rate limitation rule is triggered, it will be displayed as part of the Custom Rules data point on the WAF Overview page, under the event management (with the rule name you selected when the rate limitation rule was created).