Core platform
Rate Limiting
Score: 7/10Essential and effective; the granularity you want costs more.
Last updated
Modern rate limiting rules use the WAF engine and its expression language. They are much better than the old product, which billed per request. Every plan can count by IP, while headers, cookies, JA4, and query values require higher tiers.
For basic brute-force and abuse protection it’s a ten-minute setup that just works. The mitigation timeout options and the ability to count on one expression while mitigating on another cover most real-world shapes.
It loses points because the most useful characteristics require Business or Enterprise, and because observability is weak. Checking what a rule would catch before enforcing it is clumsier than it should be.