Blog Home   Blog Home

September 26, 2018   •   Yaniv Parasol

Rate Limitation Engine Added To WAF Service


On September 20, 2018 we launched a new rate limitation engine for StackPath WAF which is now available for all WAF customers. The rate limitation engine allows customers to rate limit traffic based on the number of requests per a defined time interval per IP, configure rules for a specific URL (regex is optional), and whitelist specific HTTP methods.

Request Rate Rules

Rate limitation can be used to protect your online application against different types of abusive behavior such as application layer DDoS attacks, content scraping, brute force attempts, and blocking vulnerability scanners. When a rate limitation rule is met the challenge that was configured will be applied. The following challenge types are available: block, Captcha, JavaScript challenge, and monitor.

Rate limitation rules are considered “WAF Custom Rules” and are included in our packages. The number of rules varies based on the packaged selected. Rate limitation requests are counted as “WAF Requests”. Details about the number of WAF Custom Rules and WAF Requests per month included in every package can be found on the pricing page.

Add Request Rate Rule

Use Cases

There are a number of scenarios in which a rate limitation rule can help you protect your online application. Here are three examples:

API Protection
Rate limitation can be used to block malicious traffic. By doing so, you can improve performance and reduce the infrastructure needed to support your APIs.

Brute Force Attempts
Customers who used rate limitation rules to protect their login and signup pages reported a significant reduction in the number of false logins attempts and fake signups.

Block Malicious Traffic
Several of our existing WAF policies are based on the rate limitation engine which is now available to any WAF customer. We are using the same rate limitation capabilities to successfully block malicious traffic from reaching the thousands of WAF protected sites already on our network.

Full Visibility

Full details about rules that were triggered is available under the WAF overview page. Every time a rule threshold is met a security event is created with details about the request that triggered the rule. This useful information provides you the data you need to make better decisions about the security configuration of your online application.

Wall Application Firewall Events

Creating rate limitation rules

Full details about creating a rate limitation rule are available in our Help Center.

Coming Soon

In the coming weeks we’re adding new capabilities that will make the rate limitation and WAF custom rules even more powerful.

  • Custom response code: The ability to configure a specific response code for the WAF block action (current block action returns 403 by default).
  • Time Based Actions: Configure a time frame on which a user will be blocked from accessing your application when a security rule is met. This will allow you to have more control over who accesses your application.

Do you have additional feature requests? We’re eager to hear them. Please provide your feedback in the StackPath portal here.


View All
Stay Informed

Receive our monthly blog newsletter.


Connect with us to stay updated.

Stay Informed

Receive our monthly blog newsletter.


Connect with us to stay updated.