Skip to content

Commit c4fe586

Browse files
pedrosousapedrosousa
authored
[WAF] Update RL requirements (#24339)
1 parent 0451bce commit c4fe586

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

src/content/docs/waf/rate-limiting-rules/best-practices.mdx

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ A typical use case of rate limiting is to protect a login endpoint against attac
8585
| Matching criteria | Hostname equals `example.com` and URI Path equals `/login` and Request Method equals `POST` |
8686
| Expression | `http.host eq "example.com" and http.request.uri.path eq "/login" and http.request.method eq "POST"` |
8787
| Counting characteristics | IP |
88-
| Counting criteria | URI Path equals `/login` and Method equals `POST` and Response code is in (401, 403) |
88+
| Increment counter when | URI Path equals `/login` and Method equals `POST` and Response code is in (401, 403) |
8989
| Counting expression | `http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403}` |
9090
| Rate (Requests / Period) | 4 requests / 1 minute |
9191
| Action | Managed Challenge |
@@ -97,7 +97,7 @@ A typical use case of rate limiting is to protect a login endpoint against attac
9797
| Matching criteria | Hostname equals `example.com` and URI Path equals `/login` and Request Method equals `POST` |
9898
| Expression | `http.host eq "example.com" and http.request.uri.path eq "/login" and http.request.method eq "POST"` |
9999
| Counting characteristics | IP |
100-
| Counting criteria | URI Path equals `/login` and Request Method equals `POST` and Response Status Code is in (401, 403) |
100+
| Increment counter when | URI Path equals `/login` and Request Method equals `POST` and Response Status Code is in (401, 403) |
101101
| Counting expression | `http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403}` |
102102
| Rate (Requests / Period) | 10 requests / 10 minutes |
103103
| Action | Managed Challenge |
@@ -109,11 +109,13 @@ A typical use case of rate limiting is to protect a login endpoint against attac
109109
| Matching criteria | Host equals `example.com` |
110110
| Expression | `http.host eq "example.com"` |
111111
| Counting characteristics | IP |
112-
| Counting criteria | URI Path equals `/login` and Request Method equals `POST` and Response Status Code is in (401, 403) |
112+
| Increment counter when | URI Path equals `/login` and Request Method equals `POST` and Response Status Code is in (401, 403) |
113113
| Counting expression | `http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403}` |
114114
| Rate (Requests / Period) | 20 requests / 1 hour |
115115
| Action | Block for 1 day |
116116

117+
_These example rules require a Business plan or above._
118+
117119
Rule #1 allows up to four requests per minute, after which a Managed Challenge is triggered. This configuration allows legitimate customers a few attempts to remember their password. If an automated actor makes several requests, that client will likely be blocked by an unsolved Managed Challenge. On the other hand, if a human gets and passes the challenge when reaching rule #1's rate limit, rule #2 will provide the next level of protection, allowing for up to 10 requests over the next 10 minutes. For clients exceeding this second threshold, rule #3 (the most severe) will apply, blocking the client for one day.
118120

119121
These three rules have a counting expression separate from the rule expression (also known as mitigation expression). When you configure a separate counting expression, the matching criteria will only be used when an action is triggered. In the counting expression you can include conditions based on the HTTP response status code and HTTP response headers, therefore integrating rate limiting with your backend logic.
@@ -241,6 +243,8 @@ In this situation, you could configure a rule similar to the following:
241243
| Rate (Requests / Period) | 5 requests / 3 minutes |
242244
| Action | Managed Challenge |
243245

246+
_This example rule requires a Business plan or above._
247+
244248
To control the rate of actions performed by automated sources, consider use rate limiting rules together with [Bot Management](/bots/get-started/bot-management/). With Bot Management, you can use the [bot score](/bots/concepts/bot-score/) as part of the matching criteria to apply the rule only to automated or likely automated traffic. For example, you can use a maximum score (or threshold) of `30` for likely automated traffic and `10` for automated traffic.
245249

246250
If your application tracks sessions using a cookie, you can use the cookie to set the rate limiting context (that is, use it as a counting characteristic). By setting the rate limiting characteristic to Cookie, the rule will group together requests from different IP addresses but belonging to the same session, which is a common scenario when dealing with a bot network performing a distributed attack.

src/content/partials/waf/rate-limiting-availability-by-plan.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import { Details } from "~/components";
88
| ------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
99
| Available fields<br/>in rule expression | Path, [Verified Bot](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | General request fields, request header fields, Verified Bot, Bot Management fields[^1] | General request fields, request header fields, Verified Bot, Bot Management fields[^1], request body fields[^2] |
1010
| Counting characteristics | IP | IP | IP, IP with NAT support | IP, IP with NAT support | IP, IP with NAT support, Query, Host, Headers, Cookie, ASN, Country, Path, JA3/JA4 Fingerprint[^1], JSON field value[^2], Body[^2], Form input value[^2], Custom |
11+
| Custom counting expression | No | No | Yes | Yes | Yes |
1112
| Available fields<br/>in counting expression | N/A | N/A | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers |
1213
| Counting model | Number of requests | Number of requests | Number of requests | Number of requests | Number of requests, [complexity score](/waf/rate-limiting-rules/request-rate/#complexity-based-rate-limiting) |
1314
| Rate limiting<br/>action behavior | Perform action during mitigation period | Perform action during mitigation period | Perform action during mitigation period | Perform action during mitigation period, Throttle requests above rate with block action | Perform action during mitigation period, Throttle requests above rate with block action |
@@ -40,4 +41,3 @@ Not all values are available on all plans.
4041
5: Enterprise customers must have application security on their contract to get access to rate limiting rules. The number of rules depends on the exact contract terms.
4142

4243
</Details>
43-

0 commit comments

Comments
 (0)