Creating Rate Limit Rules

Overview

You can use this document to learn how to create a custom rate limit rule.

You can create a rate limit rule to limit the number of requests users are allowed to perform against a website or specific URL. This type of information can be used to learn about your users' behavior.

Creating a Rate Limit Rule

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites.
2. Locate and select the desired site.
3. In the left-side navigation menu, click EdgeRules.
4. Navigate to Custom Rules, and then select Add WAF Rule.
5. Under Rule Name, enter a descriptive name.
6. Under Rule Status , use the slider to immediately enable or disable the rule.
   • As an option, you can create a disabled rule, and then at a later time, you can enable the rule.
7. Under Rule Type, select Request Rate.
8. Under Number of Requests, enter the number of requests required for the rule to trigger.
9. Under Duration, select the time frame that defines how long we will count requests for.
   
   • StackPath recommends that you select a short time frame, such as 30 seconds or 1 minute.
   • The duration in which Actions are performed are not defined by this Duration value set in the Portal. This Duration value can be defined using the actionDuration parameter in our API.
10. Under Action, select the Action you would like to apply to each request when the rule is triggered. Actions are not permanent, as they will continue to trigger only until the specified duration time is over. Once this time is over, the request counter will reset and start again.
    
    • Allow
      • This action type will allow specified traffic to view the application's content and exclude the user from any security checks.
    • Block
      • This action type will block specified traffic from accessing the application's content.
    • Monitor
      • This action type will log any request that meets the condition of the rule.
      • This action type does send any challenge to the user.
    • Captcha
      • This action type will display a Captcha challenge before the user can view the application's content.
    • JavaScript Validation
      • This action type will display a JavaScript validation challenge before the user can view the application's content.
11. (Optional) Under Path Regex, indicate the pages or URL to apply to the rule.
    • To protect all application pages, leave the field blank or enter a slash ( / ).
    • To protect a specific page, enter a URL, such as /login.
12. (Optional) Under HTTP Methods, select a method to include in the rule.
    • By default, the rule will include all HTTP methods.
    • You can select multiple methods.
13. (Optional) Under IP Address, enter a specific IP address to apply to the rule.
    • By default, the rule will apply to all IP addresses that use the application.
    • You can enter multiple IP addresses, one address per line.

Specifying a URL, HTTP Method, or IP Address will apply a filter that will apply your rate limiting rule only to requests matching these fields. If these fields are left empty, then the rule will apply to all requests.

View a Triggered Rule

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites.
2. Locate and select the desired site.
   • This action will refresh the portal.
3. In the left-side navigation menu, click Analytics.
4. Click the WAF tab.
5. In the graph, mark Custom Rule - Blocked and/or Custom Rule - Allowed to display triggered custom rules.
6. Under Requests, review your triggered rules, which will display the Rule Name.