Counter for Rate Limit on Cloudflare for Different Endpoints in Request Traffic
I have 3 API endpoints which need same rate-limiting on Cloudflare. So, I have clubbed them together.
The rule goes like this:
If incoming requests match:
Host = "https://www.x.com" AND URI Path = "/a"
OR
Host = "https://www.x.com" AND URI Path = "/b"
OR
Host = "https://www.x.com" AND URI Path = "/c"
(Notice the usage of AND and OR operators above)
with the same characteristics:
Header value of identifier
When rate exceeds:
10 requests in 1 minute
Then take action:
Block requests for 1 day
What happens out of the following:
Are individual counter buckets created for paths
a,b&c?So, only when a user makes 10 requests for path
a(or 10 requests for pathbor 10 requests for pathc) within a minute, the user gets blocked for a day.Is a common counter bucket created for all paths
a,b&ccombined together?So, if a user makes 7 requests for path
aand 3 requests for pathcwithin a minute, the user gets blocked for a day.
Are individual counter buckets created for paths a, b & c?
So, only when a user makes 10 requests for path a (or 10 requests for path b or 10 requests for path c) within a minute, the user gets blocked for a day.
No, bucket only counts on Header value of identifier in this case.
You need to set AND Path condition additionally
Is a common counter bucket created for all paths a, b & c combined together?
So, if a user makes 7 requests for path a and 3 requests for path c within a minute, the user gets blocked for a day.
Yes. If you want to separate bucket for each path, you will have to do the thing above.
See this documentation in detail
https://developers.cloudflare.com/waf/rate-limiting-rules/request-rate/
- Implementing Custom Expression Handling with Spring Security 6
- Restricting access to static files in Django/Nginx
- Does RabbitMQ allow Audit Logging
- Powershell Set-MpPreference -DisableRealtimeMonitoring $true not working correctly
- Why are iframes considered dangerous and a security risk?
- Secure Google Cloud Functions http trigger with auth
- How do I get the currently loggedin Windows account from an ASP.NET page?
- Error Importing SSL certificate : Not an X.509 Certificate
- Full text search on encrypted data
- It is necessary to send the JWT token from the browser page to the server
- Is it possible to use double @ in an email address?
- How to replicate the RuntimeDefault seccompProfile in Kubernetes to run in Docker?
- Difference between processes running in kernel mode and running as root?
- Why is it okay to transmit authentication/session cookies over plaintext?
- How to handle .env.local in a next js typescript file?
- How does Maven 3 password encryption work?
- Do we need encrypt session id before saving it into database
- Any point in using a paid threat intelligence service over Google's Lookup API for detecting malicious URLs?
- How to securely update configuration for root password in yocto?
- how to secure and encrypt setting.xml paswords file in maven?
- How to convert a PKCS#8 encoded RSA key into PKCS#1 in Java?
- Vector securely erasing its memory
- How to safely run user-supplied Javascript code inside the browser?
- curl - Is data encrypted when using the --insecure option?
- ZAP Dynamic SSL certificate option is not available
- how to implement the Eurion constellation security measure
- How can I sanitize user input with PHP?
- Security threats when using bar() vs bar(void)
- Is exposing a session's CSRF-protection token safe?
- is electron's `safeStorage` for passwords and login credentials?