Developer platform (ETI)
Rate Limiting (Workers binding)
Score: 5/10Real potential, but too limited and too loose for accurate limits.
Last updated
The rate limiting binding puts a limiter directly in a Worker. Define a limit and period, call limit({ key }), and branch on the result. It needs no Durable Object or external store. For stopping one API key from hammering an endpoint, very little code is required.
The limitations appear quickly. Only two fixed periods exist, 10 or 60 seconds, so a rule such as 100 requests per hour is impossible. More importantly, counting happens independently at each Cloudflare location. Cloudflare’s own docs call the API permissive, eventually consistent, and not an accurate accounting system. A distributed client can exceed the configured limit by a wide margin. That is acceptable for slowing abuse, but not for billing or hard quotas.
The ergonomics are good, and flexible windows with stronger consistency would make this an easy 8. For now, use it as a cheap first defense and keep WAF rate limiting or your own state for limits that must be correct.