Rate Limiting
Understanding Rate Limiting
Rate limiting is a method used to control how many requests a user or system can send to your website or API within a specific time frame. It helps protect your servers from abuse, ensures fair use of resources, and maintains stable performance for all users.
Think of it like a traffic signal for network requests . It prevents any single user or bot from overloading your system with too many requests at once.
Why Rate Limiting Is Important
Rate limiting helps protect your application from abuse and maintain consistent performance. It prevents:
- DDoS or DoS attacks that attempt to flood your system with traffic.
- Brute-force login attempts by malicious bots.
- Unexpected traffic spikes that can cause downtime or degraded performance.
- Excessive API calls that lead to resource exhaustion.
By setting appropriate rate limits, you can ensure both security and fair usage without disrupting legitimate traffic.
Rate Limit Configuration
To configure rate limits : Go to Security → Rate Limit Rules.
Click Add Rule to create a new policy
Click Add Rule to create a new policy
Parameters to Configure
| Setting | Description |
| Limitation Path | Define the URL path or endpoint where the rule applies. Supports Glob Patterns (e.g., /api/* ). |
| Number of Requests | Set the maximum allowed requests per IP within the specified time frame. |
| Time Frame | Choose the duration (seconds, minutes, hours, or days). |
| Methods | Select HTTP methods (GET, POST, etc.) to exclude. |
| Unrestricted IPs | Add trusted IP addresses exempt from this limit. |
| Description | Optional field to describe the rule’s purpose. |
Once all fields are configured, click save to apply the rule.
Rate Limit Behavior
When the defined request limit is exceeded, VergeCloud can respond in one of two ways:
- Block: Stops further requests from the IP until the limit resets.
- Challenge: Prompts a validation challenge to verify legitimate users and block bots.
You can customize the challenge level and duration based on your security needs.
Example Scenario
You can limit access to a specific endpoint such as: www.example.com/api/contact/form → 20 requests per day
If this threshold is exceeded, the IP will be blocked for 24 hours.
You can exclude trusted IPs (like 1.2.3.4) or allow only specific methods (e.g., POST).
You can exclude trusted IPs (like 1.2.3.4) or allow only specific methods (e.g., POST).
Prioritizing Rules
VergeCloud evaluates rate limit rules based on priority, starting with the highest priority (priority 1).
Once a request matches a rule, lower-priority rules are ignored.
Example :
| Path | Requests | Time Frame | Priority |
| /api/login/** | 5 | 60 seconds | 1 |
| /api/** | 10 | 60 seconds | 2 |
This ensures tighter control for login endpoints while keeping general API traffic more flexible.
Best Practices
1. Define Clear Conditions – Apply rate limits to specific URLs, HTTP methods, or IPs for better control.
2. Use Multiple Rules – Set stricter limits for sensitive routes (like /login) and more lenient ones for general traffic.Combine Short and Long Time Windows.
3. Use short windows to stop sudden bursts and longer windows to control sustained traffic
Let’s say your login API endpoint is often targeted by bots.
You can apply two rules together:
Rule 1: 5 requests per 10 seconds — stops rapid brute-force attempts.
Rule 2: 100 requests per 10 minutes — limits consistent automated traffic over time
This combination helps block both spikes and steady abuse without affecting genuine users who log in occasionally
4. Monitor and Adjust - Review logs and traffic behavior to fine-tune thresholds for optimal balance between security and usability
Testing and Validation
To verify your rate limit setup:
1. Use curl to simulate repeated requests and check for HTTP 429 (Too Many Requests) responses.
2. Visit the configured path in a browser to confirm whether it’s blocked or challenged when limits are reached.
3. Optionally use dig for DNS-related rate limit checks if applicable
Related Articles
Security Shortcuts
Firewall Security Shortcuts Security Shortcuts provide a fast and effective way to apply common firewall protections. Each shortcut represents a predefined rule template for common use cases, such as blocking abusive IPs or enforcing request methods ...Custom Error Pages
The custom pages feature within the VergeCloud CDN Service enables you to replace or customize various pages of your website, including Error Pages and Under Construction Pages. While these pages initially appear in VergeCloud's standard design, you ...Domain-Based and Organization-Based Roles
Domain-Based Roles Domain-based roles apply to specific domains or services, such as CDN. They control access to domain-level features but not global settings. Click on each role below to view its access permissions. Admin Access Area Permission ...Understanding VergeCloud’s DDoS Challenge Modes
VergeCloud’s DDoS protection uses multiple layers of mitigation to protect against both network-level (Layer 3 & 4) and application-level (Layer 7) attacks. Each challenge mode handles threats differently. This guide explains each type to observe ...Using Layer 4 Network on VergeCloud
Introduction The VergeCloud Layer 4 Proxy enhances security and performance for applications using TCP protocol. It is ideal for non-HTTP traffic such as email, FTP, SSH, VoIP, or gaming. By proxying connections through VergeCloud’s edge, your origin ...