How is Rate Limiting used in practice?

See real-world examples and code snippets on the Rate Limiting glossary page at CDN Certified.

What concepts are related to Rate Limiting?

Related terms include: DDoS (Distributed Denial of Service).

Rate Limiting

Security

Restricting the number of requests a client can make within a time window. Protects origins from abuse, prevents scraping, and provides a basic defense against application-layer DDoS attacks.

Updated Mar 9, 2026

Full Explanation

Rate limiting is your first line of defense against misbehaving clients. Whether it's a bot scraping your entire site, an API client gone haywire, or a low-effort DDoS—rate limiting stops them from overwhelming your infrastructure.

CDNs implement rate limiting at the edge, which means malicious traffic gets blocked before it ever reaches your origin. Rules are typically based on: requests per IP per time window, requests per path/endpoint, or requests per API key/session.

The algorithms matter. Fixed window: simple counter that resets each interval (can allow 2x burst at window boundaries). Sliding window: smoother, no burst spikes. Token bucket: allows controlled bursts while maintaining an average rate. Most CDNs use sliding window or token bucket.

Interactive Animation

Loading animation...

Examples

# Nginx: rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

server {
    location /api/ {
        limit_req zone=api burst=20 nodelay;
        limit_req_status 429;
    }
    location /login {
        limit_req zone=login burst=5;
        limit_req_status 429;
    }
}

# Cloudflare rate limiting rule (API)
curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone}/ratelimits" \
  -d '{
    "match": {"request": {"url": "*.example.com/api/*"}},
    "threshold": 100,
    "period": 60,
    "action": {"mode": "simulate"}
  }'

Video Explanation

Frequently Asked Questions

Restricting the number of requests a client can make within a time window. Protects origins from abuse, prevents scraping, and provides a basic defense against application-layer DDoS attacks.

# Nginx: rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

server {
    location /api/ {
        limit_req zone=api burst=20 nodelay;
        limit_req_status 429;
    }
    location /login {
        limit_req zone=login burst=5;
        limit_req_status 429;
    }
}

# Cloudflare rate limiting rule (API)
curl -X POST "https://api.cloudflare.com/client/v4/zones/{zone}/ratelimits" \
  -d '{
    "match": {"request": {"url": "*.example.com/api/*"}},
    "threshold": 100,
    "period": 60,
    "action": {"mode": "simulate"}
  }'

Related CDN concepts include:

DDoS (Distributed Denial of Service) (DDoS) — An attack that floods a server with traffic from many sources to make it unavailable. …

Previous Term QUIC

Next Term Request Coalescing

Back to Glossary