[WAF] Rate limiting: Update best-practices.mdx (#26480)

Addresses PCX-19114

---------

Co-authored-by: Pedro Sousa <[email protected]>

Author: 2 people

src/content/docs/waf/rate-limiting-rules/best-practices.mdx

@@ -28,6 +28,20 @@ A common use case is to limit the rate of requests performed by individual user
 | Rate (Requests / Period) | 100 requests / 10 minutes        |
 | Action                   | Managed Challenge                |
 
+### Limit reuse of a single `cf_clearance` cookie
+
+After a visitor successfully passes a Managed Challenge, Cloudflare issues a `cf_clearance` cookie to identify them as verified. However, malicious actors may attempt to reuse or share a single valid `cf_clearance` value across multiple requests or devices to bypass additional challenges.
+
+This rate limiting rule helps mitigate such abuse by restricting how many requests can be made with the same `cf_clearance` value within a defined period. Legitimate human users will remain unaffected, while automated or replayed requests using a single clearance token will be blocked once the threshold is exceeded.
+
+| Setting                  | Value                                  |
+| ------------------------ | -------------------------------------- |
+| Matching criteria        | URI Path equals `/checkout`            |
+| Expression               | `http.request.uri.path eq "/checkout"` |
+| Counting characteristics | Cookie (`cf_clearance`)                |
+| Rate (Requests / Period) | 100 requests / 10 minutes              |
+| Action                   | Block                                  |
+
 ### Allow specific IP addresses or ASNs
 
 Another use case when controlling access to resources is to exclude or include IP addresses or Autonomous System Numbers (ASNs) from a rate limiting rule.